I am trying a sample credential delegation program using GSS API on Active Directory Client and Service. On using context.requestCredDeleg(true)
, when i check context.getCredDelegState()
, it returns true on client side before context establishment. But after context establishment, when i check the credential delegation state on the intermediate server side, it returns false.
I have set the "Trust this user for delegation to any service( Kerberos Only )" for the user. Also, "Account is sensitive and cannot be delegated" field is unchecked in Active Directory Administrative Center User Properties. Same has been applied to the service user properties as well. I am running both client and server on same Computer which is part of kerberos domain, for that computer properties also, delegation is allowed in Active Directory Administrative Center.
I used the following as reference : Client-Server program source : http://docs.oracle.com/javase/1.4.2/docs/guide/security/jgss/tutorials/BasicClientServer.html
Credential Delegation doc : http://docs.oracle.com/javase/1.4.2/docs/guide/security/jgss/tutorials/MoreToDo.html#DelCr
Sample client-server is working fine, only i am not able to do credential delegation.
I found the solution( hope it will help someone facing the same problem ) :
In krb5.ini file forwardable = true should be set in [libdefaults] section instead of [appdefaults].