Implement properly Cross Domain Kerberos using JavaKerberos

[pierresouchay]

The Driver wrongly assumes the SPN to have the same value as the default_realm in krb5.conf.

Which means when connecting with principal my.user@MYREALM.COM and connecting to to sqlserver:PORT@MYOTHERTRUSTEDREALM.COM the driver wrongly assumes the SPN is MSSQLSvc/sqlserver:PORT@MYREALM.COM instead of the right MSSQLSvc/sqlserver:PORT@MYOTHERTRUSTEDREALM.COM even if DNS are correctly set up and domain to REALMS correctly described in krb5.conf file.

Using the default_realm is evil and should not be used at all.

Since the last driver (jdbc42, version 6.0), it is possible to override the Spn, but older drivers (compatible with Java 7) are not. Would it be possible to implement this feature?

[v-mabarw]

@pierresouchay The serverSpn connection property allows you to use Kerberos in a cross realm scenario. If you are looking for the Java 7 compatible version, are you able to use the JDBC 4.1 compliant jar (which you can build here, retrieve from Maven (look for version 6.1.0.jre7), or obtain from the latest driver package on the Microsoft Download Center)?

[pierresouchay]

@v-mabarw I have a working patch for the driver, what it does:

For generating a SPN (in makeSPN()):

Try to find a valid REALM name (for Oracle JVM using sun.securitt.krb5.Config.getKDCList(realm)) by looking into hostname. (so for myserver.sub.domain.com, would look for real called myserver.sub.domain.com, then sub.domain.com, domain.com and finally com). If no valid realm found (aka getKDCList() did never return any KDC, ignore it).
If no KDC has been found, retry on the canonical name of server.
If nothing has been found, keep the SPN unchanged, otherwise add @FOUND_REALM after the existing SPN.

If a SPN has been provided by the user, do the same if SPN is not suffixed with a REALM, but do not try on canonical name.

The code could be enhanced a bit by having another mechanism for other JVMs (such as the one from IBM) to detect the REALM.

See Pull Request 40: #40

[ajlam]

@pierresouchay - hoping to get PR #40 merged in one of our next few releases 😄

[pierresouchay]

Ok, I made the changes in PR #40 as requested.

We are really interested by this feature as it forces us to write and use our own JDBC Driver encapsulating your driver in order to make it work in Cross Realm (we use the almost the same computation as the one from #40 ) in order to pre-compute JDBC URLs, perform the reverse DNS if necessary and set the SPN by ourselves.

[AfsanehR-zz]

Thank you so much @pierresouchay! . PR #40 is tested and merged now. As you mentioned, the fix does not work on IBM JVM and needs different implementation. Could you please create new issue so that we can later fix this?

[pierresouchay]

@v-afrafi I think it now should work with IBM JVM since we fallback on DNS resolution for identifying the REALM.

[AfsanehR-zz]

@pierresouchay You are correct. Just confirming that got the same results with IBM. Thank you for your contribution again!

[pierresouchay]

Cool ;)

Happy to know the fallback system works with any JVM