I have a Java web application running on Tomcat and Linux.
This application uses Kerberos authentication for clients, so workstations are able to connect to the site and their windows credentials will be used to automatically sign them in.
All of this part works fine. However this web application also needs to call on another HTTP server running on windows to access a service. It does this via kerberos delegation using the users credentials. Historically this has worked fine in the past, however with recent windows updates this is now failing to work.
The Java application log gives me this error (Edited to remove personal information)
ERROR 2023-01-12T05:55:25,392-0800 [[email protected], #B-60, #1855] wp.router.DelegatingStrategy: Kerberos login to winserver01 failed
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13)))
I inspected kerberos packets using Wireshark on the Java server what options are being sent in ths TGS request that might generate the error KDC cannot accommodate requested option (13)
I see the same thing:
So then I dive deeper into the TGS-REQ to see what option is being requested that can't be satisfied.
Constrained delegation is being set as True even though I'm not using constrained delegation anywhere in this implementation.
Researching it further, I'm thinking this might be something Microsoft Credential Guard is doing
I've tried to disable to no avail. Need some help trying to figure out why constrained delegation is being forced.
I understand all the security implications by not using constrained delegation, I'm just trying to understand what's causing this problem.
