Delegation or Explicit Credentials for Web Service?
Michael B Allen
mba2000 at ioplex.com
Thu May 25 00:10:43 EDT 2006
I have some code that runs on a web server and authenticates clients using
GSSAPI via WWW-Authenticate: Negotiate. This works with Firefox and IE.
I have some client code that authenticates with a file server using
Kerberos. That works ok too.
Now I want the code on the web server to run the code that authenticates
with the file server. This does not work because I need a ticket to
authenticate the web server with the file server.
My understanding is that I have two options:
1) Configure the HTTP service principal a OK-AS-DELEGATE. When the web
client connects, gss_accept_sec_context will emit a TGT that can then
be used to acquire the desired ticket.
2) Create an account specifically for the web server to file server
authentication, export that key from the KDC, copy it to the web server,
and do the partial equivalent of kinit in the web server code thereby
acquiring the desired ticket.
Can someone confirm or deny that my understanding is correct?
Secondarily I can see the OK-AS-DELEGATE flag is on in the TGS-REP
for the HTTP service principal ticket but when a client authenticates
gss_accept_sec_context does not emit a delegated credential. What am I
doing wrong?
Thanks,
Mike
More information about the Kerberos
mailing list