How to re use the credentials handle to avoid network call for every request (same user).
Greg Hudson
ghudson at mit.edu
Mon Apr 3 12:40:02 EDT 2017
On 03/31/2017 01:37 PM, Rahul G wrote:
> I have a KCD implementation based on t_s4u.c, using
> gss_acquire_cred_impersonate_name() and gss_init_sec_context(). This works
> fine, giving my impersonator an auth token to the target server on behalf
> of the client user. The problem is, my implementation does a TGS_REQ
> subsequently for the same user and same target server. Is there a way I can
> reuse the credentials that I received with the first auth token. We want to
> avoid unnecessary network traffic, especially since the tickets have the
> default expirations (10hrs).
Unfortunately, we only made using cached S4U2Proxy credentials work in
krb5-1.15 [1], while the most recent KfW release is based on krb5-1.13.
I don't know of any application-level workaround that would help. As we
only make KfW releases infrequently, it may be some time before there is
a KfW release with this feature added; therefore, building the current
or 1.15 krb5 sources on Windows may be the only way to get this to work
in the near future.
[1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=8372
More information about the kfwdev
mailing list