delegation from a MIT win98 client to Active Directory
Mads Rasmussen
mads at nospam.opencs.com.br
Thu Nov 25 07:57:22 EST 2004
Jeffrey Altman wrote:
> Please explain what it is you are attempting to achieve.
> A client delegates by forwarding either a TGT or a proxy
> ticket to the service. This operation is performed by
> the application communicating with the service.
>
> Forwarding tickets is supported by MIT Kerberos for Windows.
>
> Jeffrey Altman
Sure Jeffrey,
We would like to make the "double-hop" work on a Windows 98 client. To
make this more clear:
- A domain with a AD server and Kerberos tickets used for authentication
- a Windows 98 station navigating the web through IE
- Accessing a page in an IIS server
- The page retrieves data in a SQL OLAP server.
The double-hop means that the OLAP server will be able to get the right
user information and, securely, release the information for that user.
This scenario works for a Windows 2000 client but not for Windows 98.
We would like to make it work, if possible
We have tried installing a MIT Kerberos client on the Windows98 but we
couldn't make it work, might be configuration problems though.
During some research we suspect that there is a "delegation flag" that
the MIT client doesn't set.
After the logon all other communication (ticket requesting and granting)
should happen between the AD and the SQL Server.
Any thoughts that might help us see the light?
Regards,
Mads Rasmussen
Open Communications Security
More information about the Kerberos
mailing list