When delegation is enabled, the client sends TGS-REQ to KDC every time i click on a link on the web page

Greg Hudson ghudson at MIT.EDU
Wed Mar 13 00:50:19 EDT 2013

On 03/13/2013 12:30 AM, Rasanth Akali Kandoth wrote:
> Hi,
> When i enable delegation by setting the  GSS_C_DELEG_FLAG
> , gss_init_sec_context sends TGS req every time i click on a link on the
> web page. basically for every request, the client sends a request for
> service ticket.
> Is this expected when you enable delegation ? if not, how can i avoid this?

This is, unfortunately, a known bad interaction between Kerberos on the
web and the way we implement ticket forwarding.  We make a request to
the KDC for a fresh TGT each time we forward Kerberos tickets, which is
fine for use cases like ssh, but is very inefficient when you're doing
negotiate auth with ticket forwarding on a whole bunch of HTTP requests.

More information about the Kerberos mailing list