WebISO: the killer kerberos app?

Kevin Coffman kwc at citi.umich.edu
Tue Mar 9 14:07:43 EST 2004


Russ Allbery wrote:
> Kevin Coffman <kwc at citi.umich.edu> writes:
> 
> > Our answer to the proxy issue when certificates are used for
> > authentication is Kerberized Credentials Translation (KCT).  The web
> > server captures the SSL handshake between itself and the client,
> > forwards that handshake and other info to the KCT (a Kerberized service)
> > running on a KDC machine which can issue Kerberos service tickets for
> > the web server to use on the user's behalf.
> 
> How does it do this without the user's password?

The KCT runs on the KDC machine and has access to the Kerberos
database.  It generates tickets just like the TGS, but with
different requirements for the request.



More information about the Kerberos mailing list