The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC. ------------- Commit messages: - TGT needs not to be forwardable in S4U2self request - address martin's comments - Merge - also a security property - a system property, do not care where ticket is from, more renames - move KDCReq::encoding to KrbKdcReq::obuf, no more ibuf in KrbTgsReq - a type label for credentials, encoding in KrbKdcReq, and some renames - implement the change - 8272162: S4U2Self ticket without forwardable flag Changes: https://git.openjdk.java.net/jdk/pull/6082/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6082&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8272162 Stats: 413 lines in 17 files changed: 218 ins; 38 del; 157 mod Patch: https://git.openjdk.java.net/jdk/pull/6082.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6082/head:pull/6082 PR: https://git.openjdk.java.net/jdk/pull/6082