Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Release Notes

Deprecated features

The following is a list of features that are no longer supported starting with Single Sign-on for Java 3.3.2.

  • Deprecation of Kerberos DES encryption types, per RFC 6649. The default list of Kerberos encryption types is now AES256, AES128 and RC4-HMAC (18, 17 and 23); the single-DES encryption types (DES-CBC-CRC, DES-CBC-MD4 and DES-CBC-MD5) have been removed from the default list. The "jcsi.kerberos.encTypes" system property can be used to override the default.

Resolved issues

The following is a list of issues addressed and enhancements implemented in One Identity Single Sign-on for Java 3.3.2.

Table 2: Resolved issues: javax.servlet layer
Resolved Issue Issue ID
IllegalArgumentException during initialization on Tomcat 8.0.0 -- 8.0.24 3632
SID-to-name mapping table: updated Active Directory well-known group SIDs ----
ADFSv1: allow InvalidFederationTokenException to be intercepted ----
Table 3: Resolved issues: Java SE layer (GSSAPI/Kerberos)
Resolved Issue Issue ID
When sending a delegated TGT, all encryption types newer than DES / 3DES should encrypt the KRB_CRED 1077
GSSContext.initSecContext(byte[],int,int) should allow null in first invocation 3572
JGSS providers: add support for OpenJDK 1.6 and (current early-access versions of) JDK 1.9 3628
Only use OK-AS-DELEGATE if at least one of requestCredDeleg(true), requestDelegPolicy(true) or jcsi.kerberos.honorOkAsDelegate=true is set 3633
GSS initiator should use correct Kerberos name-type (e.g. KRB_NT_SRV_HST) in TGS-REQ 3636
KrbError toString(): hex dump some e-data in KRB-ERROR ----

This release also resolves the following issues that were previously addressed in patches to the 3.3 release:

Table 4: Resolved issues: From Patch 3598
Resolved Issue Issue ID
JGSS providers: add support for Sun / Oracle / OpenJDK 1.7 and above 3598
Table 5: Resolved issues: From Patch 3601
Resolved Issue Issue ID
Detect unavailable domain controllers expeditiously, then try alternative domain controllers. Explicitly set timeouts for TCP connection establishment (for KDC requests over TCP and for automatic site discovery over TCP), rather than depending on the default timeout from the OS / JVM. 3601
Table 6: Resolved issues: From Patch 3603 / TP1 / TP2 / TP3
Resolved Issue Issue ID
NTLM: Support increased NTLM security 3603
Table 7: Resolved issues: From Patch 3609
Resolved Issue Issue ID
For LDAP requests, explicitly set timeouts for TCP connection establishment rather than depending on the default timeout from the OS / JVM. 3607
Fix erroneous backoff-time calculation for domain controllers that were unavailable for two or more attempts. 3608
Table 8: Resolved issues: From Update_20150605
Resolved Issue Issue ID
Kerberos: Avoid KDC_ERR_ETYPE_NOSUPP in domains where not all DCs support the same set of encryption types 3585
S4U2Self: Recognize expired S4U2Self tickets and replace them with fresh ones 3611
Kerberos: Generate channel bindings that interoperate with major C implementations (MIT, Heimdal, Active Directory), not with the letter of the RFCs 3612
ADFSv1 enhancements: new 'fsProxyExtraParams' and 'omitDomainInPrincipalName' options 3613
When sending LDAP SASL requests, avoid unnecessary generation of small TCP packets (and triggering of Nagle's algorithm) 3615
When LDAP requests to a particular server are problematic, correctly mark that server as problematic and prefer other servers for subsequent LDAP requests. 3622
When selecting a server to handle a new LDAP request, prefer servers that do not currently have outstanding LDAP requests. Also eliminate some unnecessary serialization on shared instances in the LDAP code. 3623
Java fat clients on Windows: Kerberos session-key retrieval is supported now on Windows 6.0 3625
AttributeUserPrincipalFormatter: If the attribute value is not set for a particular User, do not automatically substitute the user's sAMAccountName 3626
Java fat clients on Unix/Linux: tolerate X-CACHECONF entries in MIT / Heimdal credential-cache files 3627

System requirements

Before installing One Identity Single Sign-on for Java 3.3.2, ensure your system meets the following minimum system requirements:

Table 9: System requirements
Requirement Details
Active Directory domain controllers Microsoft Windows Server 2008 or higher.

Some optional functionality -- resource-based constrained delegation, and Claims from the service ticket -- requires Windows Server 2012 or higher.

JVM Java SE 5.0 (1.5) or higher on any operating system.

Product licensing

If you have a vsj-license.jar (or legacy jcsi_license.jar) file that you have used with previous releases, this release is fully compatible with that license file.

If you have purchased Single Sign-on for Java you should have received a production vsj-license.jar file (typically packaged in a "" file to avoid problems in transit).

If you require a trial key for Single Sign-on for Java, please contact your sales representative. The trial key is a vsj-license.jar file that has a time limit.

To activate a license (either trial or purchased commercial)

  1. The vsj-license.jar file should be made available on the same classpath as the vsj-standard-3.3.2.jar file; for example, in a web application, both of these files may be placed in the WEB-INF/lib directory.
  2. If you are working with the examples that are included in this release, copy the vsj-license.jar file alongside the vsj-standard-3.3.2.jar file in the ./lib directory before starting to build the examples.
Related Documents