I'm trying to use latest JDK 8 to perform resource based constrained delegation, and seems to be running into issues getting the service ticket for the last leg of the S4U2Proxy call.
Here is my setup: Two microsoft AD forest with two way forest authentication enabled.
- ForestA: forestA.com
- ForestB: forestB.com
- Front end service is in ForestA with SPN of http/myappserver.forestA.com
- Back end service in ForestB with SPN of http/backend.forestB.com
- The user being impersonated is in ForestB with username of userB.
I've successfully utilized S4U2Self protocol and retrieved the service ticket for userB to Front end service in ForestA. However, when trying to utilized S4U2Proxy to get service ticket to back end service in ForestB, the request fails with error code kerberos error 12.
Upon investigating the audit logs from event Viewer on the domain controller of ForestB, it indicates the error message is 0xC000019B (Event Id 4769), which seems to be related to some generic trust setup issue.
Any further requests with the same payload with result in Kerberos error code 28 back from ForestB's domainController. Likely due to caching of kerberos ticket from before?
Update:
This setup works fine if the front end service and the user are in the same forest, and the back end service is in a different forest.
It also works when front end service and back end service are in one forest, and the user is in a different forest.
After discussing the matter with Microsoft, it was confirmed that this specific case is not supported by Microsoft AD by design. Specifically if front end service is in one forest, and the user and resource service are in a different forest, then this use case is not supported.
Hopefully this helps for someone that encounter this issue in the future.