[jboss-jira] [JBoss JIRA] (WFLY-8506) Elytron SPNEGO authentication in deployment over HTTPS, EAP requests for HTTPS/hostname ticket.
Darran Lofthouse (JIRA)
issues at jboss.org
Wed Sep 27 06:41:01 EDT 2017
[ https://issues.jboss.org/browse/WFLY-8506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse resolved WFLY-8506.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Rejected
> Elytron SPNEGO authentication in deployment over HTTPS, EAP requests for HTTPS/hostname ticket.
> -----------------------------------------------------------------------------------------------
>
> Key: WFLY-8506
> URL: https://issues.jboss.org/browse/WFLY-8506
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Labels: eap71_beta_candidate, kerberos, spnego, tls
>
> Accessing deployment secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/hostname.
> See network dump krb_https_deployment.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.
> If I configure HTTPS/hostname in KDC and kerberos credential factory to use principal HTTPS/hostname it works correctly. But I still believe it is bug:
> * At least it is not consistent with legacy management interface behaviour (JBEAP-8572).
> * found 2 sources describing protocol and service does not match 1:1 and for https protocol HTTP/hostname SPN should be used [1][2]
> [1] https://sites.google.com/a/chromium.org/dev/developers/design-documents/http-authentication
> [2] https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on-internet-information-services
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list