Max, Closing the loop on this. It turns out that there was an extra step needed to get the user in freeipa setup as a delegate (the documentation was written for S4U2Proxy, not S4U2Self). Once I set that flag delegation started working for BOTH Java 8 and Java 9.
Thanks again. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 11:23 AM, Marc Boorshtein <marc.boorsht...@tremolosecurity.com> wrote: > Hmm, I think you are right. Here's what the Microsoft docs say "The > S4U2proxy extension requires that the service ticket to the first > service has the forwardable flag set (see Service 1 in the figure > specifying Kerberos delegation with forwarded TGT, section 1.3.3). > This ticket can be obtained through an S4U2self protocol exchange.". > I'll followup with the folks at RedHat and FreeIPA. > > Thanks > Marc Boorshtein > CTO Tremolo Security > marc.boorsht...@tremolosecurity.com > (703) 828-4902 > > > On Mon, Nov 30, 2015 at 10:01 PM, Wang Weijun <weijun.w...@oracle.com> wrote: >> It is my understanding that if the S4U2self ticket is not forwardable then >> it cannot be used in a S4U2proxy request. That's we just threw an exception. >> Am I wrong? Or you don't intend to use it this way? >> >> --Max >>