How can we configure which Encryption Ciphers a Java Waffle SSPI Kerberos Single Sign On (SSO) client should use?
How can we best debug which ciphers are actually being used by the client and server?
Background
We need to restrict the Encryption Ciphers used for Kerberos SSO, removing ciphers now considered weak.
Our Setup
The Java Application Server implements SSO via pure Java GSSAPI.
The Java Client implements SSO by two configurable SSO APIs:
On Linux or Windows 10 without Credential Guard active: via pure Java GSSAPI.
On Windows 10 with Credential Guard Active: via Java Waffle + Microsoft SSPI API .
The Kerberos “back-end” is Windows Active Directory.
What we already know
On the pure Java GSSAPI implementations (Server and Client) we can set the system property java.security.krb5.conf to configure a Krb5.conf file in which we can explicitly configure the encryptions types e.g.
[libdefaults]
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part4.html
With GSSAPI we can get debug information with the the system property sun.security.krb5.debug=true
However on the Waffle SSPI client, neither system properties have any effect. In retrospect this is not surprising because SSPI is not calling the java Runtime kerberos code.
My guess is that SSPI takes the permitted encryption types from the Windows Operating System, and that we may not be able to configure the types from the java application.
The Waffle website suggests the following link for Kerberos Debugging:
https://support.microsoft.com/en-us/help/262177/how-to-enable-kerberos-event-logging
