Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy

Amit Thukral amit.thukral403 at gmail.com
Mon Aug 31 22:48:10 EDT 2015 

Thanks Tom.
On Sep 1, 2015 2:28 AM, "Tom Yu" <tlyu at mit.edu> wrote:

> This list is for discussion about development on the Kerberos for
> Windows (KfW) product.  For the type of question you've asked below,
> it's probably best to post to the kerberos at mit.edu list, which is a
> community resource for general Kerberos-related questions.
>
> Thanks.
>
> -Tom
>
> Amit Thukral <amit.thukral403 at gmail.com> writes:
>
> > Hi,
> >
> > I am trying to implement kerberos authentication between clients and
> > windows KDC using certificates.
> > The product on which this needs to be implemented is a linux based
> reverse
> > proxy.
> > We have already integrated a MIT Kerberos libraries with it and are able
> to
> > authenticate clients with Windows KDC.
> > i.e. we are able to get TGT on behalf the client (by setting forwardable
> > flag for AS Req), pass it back to the browser (client) and thus client
> > authenticates using that ticket with servers protected behind our
> product.
> > But for this as, as of now, when a user trying to access a service
> > protected behind our product, we prompt him with login form where he
> enters
> > his credentials, using which we call
> > krb5_get_init_creds_password api to send AS REQ and get TGT.
> >
> > Now, we want to achieve this using certificates.
> > Will it be the same API to be used using anchor and idenity-value from
> > certificate or is there any other API to be used to get TGT ?
> > I used the same API, able to get AS REP which has TGT but it doesn't get
> > stored in credential cache, not sure why ?
> > Am getting numeric error code of 5, from krb5int_get_init_creds function
> in
> > get_in_tkt.c
> > 1654        code = init_creds_get(context, ctx, use_master);
> > (gdb)
> > 1655        if (code != 0)
> > (gdb) p code
> > $5 = 5
> > I dont know what it means ?
> > Is there any reference link which I can follow to do the certificate
> > generation and configuration on windows ?
> >
> > Also, Is it possible to achieve Contrained Delegation using certificates
> > for our product considering we are linux based reverse proxy, client and
> > server would be mostly windows?
> >
> > If this is not the right forum, kindly point me to the right mailing
> list.
> >
> > Thanks !!
> > Amit Thukral
> > _______________________________________________
> > kfwdev mailing list
> > kfwdev at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kfwdev
>

More information about the kfwdev mailing list