Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy
Tom Yu
tlyu at mit.edu
Mon Aug 31 16:58:44 EDT 2015
This list is for discussion about development on the Kerberos for
Windows (KfW) product. For the type of question you've asked below,
it's probably best to post to the kerberos at mit.edu list, which is a
community resource for general Kerberos-related questions.
Thanks.
-Tom
Amit Thukral <amit.thukral403 at gmail.com> writes:
> Hi,
>
> I am trying to implement kerberos authentication between clients and
> windows KDC using certificates.
> The product on which this needs to be implemented is a linux based reverse
> proxy.
> We have already integrated a MIT Kerberos libraries with it and are able to
> authenticate clients with Windows KDC.
> i.e. we are able to get TGT on behalf the client (by setting forwardable
> flag for AS Req), pass it back to the browser (client) and thus client
> authenticates using that ticket with servers protected behind our product.
> But for this as, as of now, when a user trying to access a service
> protected behind our product, we prompt him with login form where he enters
> his credentials, using which we call
> krb5_get_init_creds_password api to send AS REQ and get TGT.
>
> Now, we want to achieve this using certificates.
> Will it be the same API to be used using anchor and idenity-value from
> certificate or is there any other API to be used to get TGT ?
> I used the same API, able to get AS REP which has TGT but it doesn't get
> stored in credential cache, not sure why ?
> Am getting numeric error code of 5, from krb5int_get_init_creds function in
> get_in_tkt.c
> 1654 code = init_creds_get(context, ctx, use_master);
> (gdb)
> 1655 if (code != 0)
> (gdb) p code
> $5 = 5
> I dont know what it means ?
> Is there any reference link which I can follow to do the certificate
> generation and configuration on windows ?
>
> Also, Is it possible to achieve Contrained Delegation using certificates
> for our product considering we are linux based reverse proxy, client and
> server would be mostly windows?
>
> If this is not the right forum, kindly point me to the right mailing list.
>
> Thanks !!
> Amit Thukral
> _______________________________________________
> kfwdev mailing list
> kfwdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kfwdev
More information about the kfwdev
mailing list