[OPENAM-4923] Update Windows Desktop SSO module to allow whitelisting Kerberos realms/KDCs Created: 10/Nov/14 Updated: 20/Nov/16 Resolved: 22/Dec/14
|Affects Version/s:||10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0|
|Fix Version/s:||11.0.3, 12.0.1, 13.0.0|
|Reporter:||Bernhard Thalmayr||Assignee:||Bernhard Thalmayr|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
java version "1.7.0_67"
|Support Ticket IDs:|
Use-Case: Multiple-Kerberos Domains; Cross-Domain-Trust; similar multiple AD-Domains, say 'Domain A' and 'Domain B'.
Domain A needs to trust Domain B to grant access to resources (e.g. Windows shares).
However it should only be possible to use Kerberos tickets from Domain A to be authenticated at OpenAM.
authentication module must fail if a Kerberos ticket from another domain is used to be able to use a proper auth chain.
Currently OpenAM WDSSO module will just validate the ticket and authentication will be successful as long as any ticket is valid.
using 'profile lookup' feature together with 'Return Principal with Domain Name' are not sufficient to fulfill the 2nd requirement
|Comment by Sam Drew [ 12/Nov/14 ]|
Any idea how long this will take to fix?
|Comment by Bernhard Thalmayr [ 17/Nov/14 ]|
Actual fix, 1 hour … review some days
|Comment by Bernhard Thalmayr [ 18/Nov/14 ]|
fixed in 11.0.3 with R11440
|Comment by Bernhard Thalmayr [ 17/Dec/14 ]|
Fix in 13.0.0 with R11956
|Comment by Bernhard Thalmayr [ 22/Dec/14 ]|
Fixed in 12.0.1 with R12000