Max,
Closing the loop on this. It turns out that there was an extra step
needed to get the user in freeipa setup as a delegate (the
documentation was written for S4U2Proxy, not S4U2Self). Once I set
that flag delegation started working for BOTH Java 8 and Java 9.
Thanks again.
Marc Boorshtein
e obtained through an S4U2self protocol exchange.".
I'll followup with the folks at RedHat and FreeIPA.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Mon, Nov 30, 2015 at 10:01 PM, Wang Weijun wrote:
> It is my understanding that if
ject.java:422)
at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
at test24u2.KerberosDemo.main(KerberosDemo.java:215)
Caused by: KrbException: S4U2self ticket must be FORWARDABLE
at
sun.security.krb5.internal.CredentialsUtil.
ava.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
at test24u2.KerberosDemo.main(KerberosDemo.java:215)
Caused by: KrbExcep
