Security Update to disable keytab in JAAS login configuration for Basic authentication (MINDBREEZE29751)

Affected Components: Mindbreeze InSpire G7 with active Kerberos client authentication 
Severity: Critical 
Status: Final 
First published: December 18, 2023 


A configuration issue in the default JAAS login configuration uses the Client Service keytab in the Basic authentication fallback LoginContext. The keytab is configured per Client Service in the Mindbreeze configuration, and shall be a unprivileged service account to validate the integrated authentication via a service principal name of the form "HTTP/<FQHN>". The effect is that the password validation for this particular service user is disabled, if the keytab in addition to the service principal name SPN (HTTP/<FQHN>) also contains the effective user principal name (UPN). 


Security Impact 

In Basic authentication the password of the user matching the service username of the Client Service keytab is not validated, if the keytab contains the proper username in addition to the service principal name (SPN). 


Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises: 

  • Mindbreeze InSpire 23.6 HF3 Release