When delegation is enabled, the client sends TGS-REQ to KDC every time i click on a link on the web page
Greg Hudson
ghudson at MIT.EDU
Wed Mar 13 00:50:19 EDT 2013
On 03/13/2013 12:30 AM, Rasanth Akali Kandoth wrote:
> Hi,
> When i enable delegation by setting the GSS_C_DELEG_FLAG
> , gss_init_sec_context sends TGS req every time i click on a link on the
> web page. basically for every request, the client sends a request for
> service ticket.
> Is this expected when you enable delegation ? if not, how can i avoid this?
This is, unfortunately, a known bad interaction between Kerberos on the
web and the way we implement ticket forwarding. We make a request to
the KDC for a fresh TGT each time we forward Kerberos tickets, which is
fine for use cases like ssh, but is very inefficient when you're doing
negotiate auth with ticket forwarding on a whole bunch of HTTP requests.
More information about the Kerberos
mailing list