Java SPNEGO Authentication & Kerberos Constrained Delegation (KCD) to backend service

Question

I have a Java web application which do SPNEGO authentication of clients in a Windows Active Directory environment. To authenticate the user we use code from the good old SPN

Answer 1

I've actually been doing something like this recently but am using spring security kerberos. I put an example on github here. The key thing that I found that I needed set up to use constrained delegation like you want it and S4U2Proxy was to make sure (if you're using Oracle/OpenJDK) you set isInitiator=true in your JAAS Config so that when getDelegCred is called you get back a Krb5ProxyCredential. See comment here. With that credential, you can use it to create service ticket tokens on the Users behalf for the services you are constrained to use in the normal fashion, like this.