Delegation or Explicit Credentials for Web Service?

Michael B Allen mba2000 at ioplex.com
Thu May 25 22:13:32 EDT 2006


On 25 May 2006 00:33:49 -0400
"Richard E. Silverman" <res at qoxp.net> wrote:
>     MBA>   1) Configure the HTTP service principal a OK-AS-DELEGATE. When
>     MBA> the web client connects, gss_accept_sec_context will emit a TGT
>     MBA> that can then be used to acquire the desired ticket.
> 
> Only if the client is configured to actually do delegation.  The "OK" flag
> is just a hint to the client as to whether the Kerberos realm considers
> this service trustworthy.  Firefox has the setting:
> 
> network.negotiate-auth.delegation-uris
> 
> ... indicating its own notion of which URI's should get delegation.

I have that option set. Delegation is still not working.

But at least I now know exactly where delegation is failing. Using
simple Heimdal GSSAPI client/server test programs (no http involved)
gss_init_sec_context tries to get a forwardable TGT but the TGS-REQ is
failing with KRB5KDC_ERR_BADOPTION. From looking at an Ethereal trace
I can see the only option set is 'forwarded' (NOT 'forwardable'). The
KDC is W2K3.

But I don't understand enough about the significance of the forwarded
(or forwardable) designation in the context of delegation. Can anyone
explain why the KDC would reject this request?

Thanks,
Mike



More information about the Kerberos mailing list