Kerberos and "forwarded" TGS-REQ -- help!
Sam Hartman
hartmans at MIT.EDU
Thu Aug 26 10:36:11 EDT 2004
I think you should take a step back and understand what user2user is
all about, understand what forwarded tickets are all about and
understand the difference between them. You should then understand
how to get the second_ticket (which should be a tgt given to you by
the remote service) from your particular application protocol.
Please look at sections 2.9.2 and 3.3.3 of
draft-ietf-krb-wg-kerberos-clarifications-06.txtfor a description of
how u2u works.
There is a long expired draft describing the u2u GSSAPI mechanism
Microsoft uses. I don't have a copy of that, but if you can find one
it might help you a lot. One incredibly bad recommendation from that
draft is to use the error return from the KDC to determine whether you
should use user2user or normal service tickets. Don't do that;
instead use the mechanism negotiatied by SSPI or by SPNEGO to
determine this.
Forwarded tickets are also described in the Kerberos clarifications
draft.
--Sam
More information about the Kerberos
mailing list