4:04 p.m.
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:49 p.m.
New subject: [JBoss JIRA] Commented: (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Steven Hawkins commented on TEIID-1610:
---------------------------------------
Looks great. Do you mean "if
(!Boolean.True.equals(result.getProperty(ILogon.KRB5_ESTABLISHED)))" in
ODBCServerRemoteImpl? Seems like it could be null and we only want to continue if not
established.
Also I was thinking that depending upon how many calls are needed for authentication we
may want to only pass the full connection properties in ILogon.logon and then not pass
them for the negotiation call. That would just require having a placeholder for them on
the server side.
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:27 p.m.
New subject: [JBoss JIRA] Commented: (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Ramesh Reddy commented on TEIID-1610:
-------------------------------------
Good catch Steve. I could not run through ODBC test yet. I do not think there is any
client side configuration for ODBC. Just the server side. In order for the client to work,
you should have logged in as the target user who is doing the authentication, I have not
figured out how I can do that with my test machine.
I see it makes about 2~3 calls, and they seemed slow comparatively. I figured it was not
worth keeping server side state for properties.
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:26 p.m.
New subject: [JBoss JIRA] Commented: (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Steven Hawkins commented on TEIID-1610:
---------------------------------------
Did you try the PG 8.4 JDBC driver in GSSAPI mode? That should at least confirm the
protocol.
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Steven Hawkins
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:21 p.m.
New subject: [JBoss JIRA] Updated: (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Ramesh Reddy updated TEIID-1610:
--------------------------------
Assignee: Ramesh Reddy (was: Steven Hawkins)
Fix Version/s: 7.6
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Ramesh Reddy
Fix For: 7.6
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:56 a.m.
New subject: [JBoss JIRA] (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Ramesh Reddy resolved TEIID-1610.
---------------------------------
Resolution: Done
JDBC was tested successfully about a couple weeks ago, there has not been any changes in
the JDBC layer since then. We have seen other issues like
2011-11-29 08:49:11,562 ERROR [org.teiid.SECURITY] (New I/O server worker #1-1) Kerberos
context login failed
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
but, believe these are due to either DES encryption is set to false on the Active
directory, or some other configuration mismatch. In either case, this is external to the
Teiid, so marking as resolved.
One issue still unresolved is, how JDBC client can use the cached credentials of the
logged in user? I have not found any documents/information on this, so this can be further
extension to the GSS API support, which needs to be tracked with separate JIRA.
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Ramesh Reddy
Fix For: 7.6
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:19 a.m.
New subject: [JBoss JIRA] (TEIID-1610) Support kerberos authentication forwarding for remote clients
[
https://issues.jboss.org/browse/TEIID-1610?page=com.atlassian.jira.plugin...
]
Steven Hawkins closed TEIID-1610.
---------------------------------
Support kerberos authentication forwarding for remote clients
-------------------------------------------------------------
Key: TEIID-1610
URL: https://issues.jboss.org/browse/TEIID-1610
Project: Teiid
Issue Type: Enhancement
Components: JDBC Driver
Reporter: Steven Hawkins
Assignee: Ramesh Reddy
Fix For: 7.6
Teiid clients in addition to supporting the standard encrypted login, should be able to
forward an existing ticket. The server would be expected to have a security domain
configured appropriately.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4602
days inactive
4961
days old
6 comments
3 participants
participants (3)
-
Ramesh Reddy (JIRA) -
Ramesh Reddy (Resolved) (JIRA)
-
Steven Hawkins (JIRA)