windowsactive-directorykerberosjava-ee-8

Canonicalize in kdc-options is automatically set to true in Windows


I have recently written a piece of code with JavaEE8 that authenticates users, requesting services from an application server, using Kerberos in an Active Directory domain. This includes a process which uses a keytab file to authenticate the server against the kdc of the target domain.
Everything works fine when using current systems but now I have to authenticate the server using a kdc that's running on Windows 2008 Server.
I struggled with the java.lang.RuntimeException: javax.security.auth.login.LoginException: Message stream modified (41) for a while now and finally figured out the problem:
The KDC on the Windows 2008 machine apparently doesn't yet support RFC 6806 - Section 11 FAST scheme (ENC-PA-REP flag) and thus the client must not use the kdc-option canonicalize=true.
Although the default value for canonicalize should be false (according to MIT Kerberos Documentation) it is in fact set to true all the time when using a windows machine as the client.
This can be seen by tracking the network traffic with wireshark and looking in the AS-REQ under req-body --> kdc-options --> canonicalize.
Interestingly enough this only occurs in Windows. When using Linux as a client canonicalize is set to false by default and everything works just fine.

I tried adding every setting I could find which bears any reference to canonicalization to the krb5.conf used by my client, but nothing actually changed the canonicalized kdc-option as seen in the AS-REQ.
So there seems to be some setting in Windows specifically that overrides the canonicalize kdc-option to always be true.

If anyone has any idea as to what that may be and how I could possibly change that behaviour I would be ever so thankfull!

Here's what my krb5.conf libdefaults section currently looks like:

[libdefaults]
  default_realm = [our realm name]
  dns_lookup = false 
  dns_lookup_kdc = false  
  dns_lookup_realm = false
  default_tkt_enctypes = aes256-cts rc4-hmac
  default_tgs_enctypes = aes256-cts
  permitted_enctypes = aes256-cts
  canonicalize = false
  dns_canonicalize_hostname = false
  rdns = false


EDIT: I now also tried to set the kdc_default_options = 0x00000000 in the krb5.conf file. This is the value that is set by default when running on Linux, whilst on Windows it is always set to 00010000. (The difference is that the canonicalize parameter within the kdc-options is set to true with 00010000).
Sadly enough this didn't change a thing. Neither did adding this Parameter with 00010000 to the Linux Version. Which makes me wonder if these Parameters from the krb5.conf are actually even used.
I know that the ones describing the domain, realm, kdc and encryption types are in fact used from that file but the rest of them don't really seem to have any impact whatsoever.

Does anyone have any experience with this kind of behaviour?


Solution

  • I had exact the same problem.

    After much debugging, I solved by setting the system property

    sun.security.krb5.disableReferrals=true
    

    In this way, request is not canonicalized.