Hello, Windows has changed the default such that the session key is not included in TGT, and for Windows SSO to work with Java implementation out of the box it will required AllowTGTSessionKey options to be added to the registry. However, this options has associated security risk as it expose the session key to all apps, and it also means that right now Kerberos SSO in Windows does not work out of the box
Looking at the Java bug database, there has been suggestion that Java could support SSPI as a JGSS-API provided which would allow Java to work out of the box without the AllowTGTSessionKey options. (http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6722928). However, in the evaluation it says: Might support it, although I hope most of the functions of Windows SSPI can also be supported by pure Java. Interop is important between different platforms I would like to understand what is the "Interop" concern here? Have we evaluated how much work need to do to support it (so that we can consider contributing the implementation)? Sunny Chan Executive Director Technology Goldman Sachs (Asia) L.L.C. | 39th Floor | The Center | 99 Queens Road Central | Hong Kong Email: sunny.c...@gs.com | Tel: +852 2978 6481 | Fax: +852 2978 0633 Learn more about Goldman Sachs GS.com<http://www.goldmansachs.com/> | Blog<http://www.goldmansachs.com/careers/blog/index.html> | LinkedIn<http://www.linkedin.com/company/goldman-sachs/careers> | YouTube<http://www.youtube.com/goldmansachs> | Twitter<http://www.twitter.com/goldmansachs> This message may contain information that is confidential or privileged. If you are not the intended recipient, please advise the sender immediately and delete this message. See http://www.gs.com/disclaimer/email for further information on confidentiality and the risks inherent in electronic communication.
