]
Lin Gao reassigned WFLY-5557:
-----------------------------
Assignee: Lin Gao
Kerberos authentication for remoting on hostname which contains
uppercase letter
--------------------------------------------------------------------------------
Key: WFLY-5557
URL:
https://issues.jboss.org/browse/WFLY-5557
Project: WildFly
Issue Type: Bug
Components: Domain Management, Remoting, Security
Affects Versions: 10.0.0.CR3
Reporter: Martin Choma
Assignee: Lin Gao
Priority: Critical
When EAP runs on server, which contains upper case in hostname (e.g.
localhost.Localdomain), it is unpossible to make kerberos authentication in remoting to
work properly.
JDK constructs TGT-REQ with lower case hostname. But remoting client create connection to
EAP with upper case letters, what cause problems.
RFC4120 "The Kerberos Network Authentication Service" [1] in chapter
"6.2.1. Name of Server Principals" requires ??Where the name of the host is not
case sensitive (for example, with Internet domain names) the name of the host MUST be
lowercase.??
Based on information from RFC, IMHO, EAP should handle such scenario. Either remoting
client should send lowercase hostname or security realm should map principal case
insensitively and look for lower-case keytab record, e.g. remote/localhost.localdomain.
[1]
https://www.ietf.org/rfc/rfc4120.txt