Proxiable tickets

Frank Taylor google at lieder.me.uk
Wed Dec 17 11:57:58 EST 2003


google at lieder.me.uk (Frank Taylor) wrote in message news:<d777a3ae.0312160657.1682407 at posting.google.com>...

> Whilst I believe this is how it should work in theory, I am lost as to
> how to implement this in practice. Specifically, I am not sure exactly
> what should be passed from the client to the web application...
> rfc1510 talks about passing the "proxy", but does not define what this
> is? Is it the TGS REPLY, or is it the underlying ticket?

A more thorough reading of rfc1510 reveals the KRB_CRED message, for
sending Credentials protected by an existing session key.

Using the java-kerberos API I can make a KRB_CRED (it's a little but
fiddly), but I now don't get how to turn the serialised KRB_CRED back
into a Credentials. Using this API, the only way to create a
Credentials requires a KDCRep object.

Anyone with experience of this?

My only hope of continuing is to update the library with a new
Credentials constructor that takes a KRBCred.

Thanks,

Frank.


More information about the Kerberos mailing list