[OPENAM-4923] Update Windows Desktop SSO module to allow whitelisting Kerberos realms/KDCs Created: 10/Nov/14  Updated: 20/Nov/16  Resolved: 22/Dec/14

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: New Feature Priority: Minor
Reporter: Bernhard Thalmayr Assignee: Bernhard Thalmayr
Resolution: Fixed Votes: 1
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

java version "1.7.0_67"
Apache Tomcat 7.0.37
OpenAM 12.0.0-SNAPSHOT Build 11345 (2014-November-06 21:12)

Issue Links:
relates to OPENAM-5721 WindowsDesktopSSO trusted realm list ... Resolved
is related to OPENAM-7556 Upgrade from 11.0.3/12.0.0 to 13.0.0 ... Resolved
Support Ticket IDs:


Use-Case: Multiple-Kerberos Domains; Cross-Domain-Trust; similar multiple AD-Domains, say 'Domain A' and 'Domain B'.

Domain A needs to trust Domain B to grant access to resources (e.g. Windows shares).

However it should only be possible to use Kerberos tickets from Domain A to be authenticated at OpenAM.


authentication module must fail if a Kerberos ticket from another domain is used to be able to use a proper auth chain.

Currently OpenAM WDSSO module will just validate the ticket and authentication will be successful as long as any ticket is valid.

using 'profile lookup' feature together with 'Return Principal with Domain Name' are not sufficient to fulfill the 2nd requirement

Comment by Sam Drew [ 12/Nov/14 ]

Any idea how long this will take to fix?

Comment by Bernhard Thalmayr [ 17/Nov/14 ]

Actual fix, 1 hour … review some days

Comment by Bernhard Thalmayr [ 18/Nov/14 ]

fixed in 11.0.3 with R11440

Comment by Bernhard Thalmayr [ 17/Dec/14 ]

Fix in 13.0.0 with R11956

Comment by Bernhard Thalmayr [ 22/Dec/14 ]

Fixed in 12.0.1 with R12000

Generated at Tue Oct 27 05:46:03 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.