Delegation or Explicit Credentials for Web Service?
Richard E. Silverman
res at qoxp.net
Thu May 25 00:33:49 EDT 2006
>>>>> "MBA" == Michael B Allen <mba2000 at ioplex.com> writes:
MBA> I have some code that runs on a web server and authenticates
MBA> clients using GSSAPI via WWW-Authenticate: Negotiate. This works
MBA> with Firefox and IE.
MBA> I have some client code that authenticates with a file server
MBA> using Kerberos. That works ok too.
MBA> Now I want the code on the web server to run the code that
MBA> authenticates with the file server. This does not work because I
MBA> need a ticket to authenticate the web server with the file
MBA> server.
MBA> My understanding is that I have two options:
MBA> 1) Configure the HTTP service principal a OK-AS-DELEGATE. When
MBA> the web client connects, gss_accept_sec_context will emit a TGT
MBA> that can then be used to acquire the desired ticket.
Only if the client is configured to actually do delegation. The "OK" flag
is just a hint to the client as to whether the Kerberos realm considers
this service trustworthy. Firefox has the setting:
network.negotiate-auth.delegation-uris
... indicating its own notion of which URI's should get delegation.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list