Java, Kerberos, Windows, and Credential Guard


In Windows, Credential Guard is a security mechanism which increases security by isolating secrets in a virtualized system part of the operating system. This measure prevents credential theft attacks, such as pass-the-hash or pass-the-ticket.

With regards to using Kerberos under Java, Credential Guard has a deep impact when acting as a Client in the Kerberos protocol under Windows. Usually, a Client in the Kerberos Protocol retrieves an already existing ticket from the Windows Kerberos Ticket store. Usually, software implemented for Java engages the Java GSS API in order to access Windows Kerberos ticket store. Unfortunately, Java is using the outdated Local Security Authority (LSA) API which does not work when Credential Guard is activated under Windows. The problem occurs in case that useTicketCache=true is set in the Java GSS API configuration. In contrast, using username and password for a login or a keytab file in order to get a Kerberos Ticket is no problem.

More information about the outdated Java GSS API implementation under Windows is described in more detail in the following blog post.

Fortunately, the Open JDK development team seems to have planned a solution for the problem occurring with Credential Guard. By implementing a native Windows interface for the Java GSS API which uses the Windows SSPI interface the Kerberos Java implementation can access the Windows Ticket store no matter if Credential Guard is activated or not.

If you need to access the Windows Kerberos ticket store with Credential Guard enabled as long as the mentioned solution is not ready yet, the only solution is to use Waffle, a library which accesses Windows SSPI API over JNA.

Java, Kerberos, Windows, and Credential Guard - The Second

Using ntlmv2auth for Single Sign-On in a Servlet Container