When delegation is enabled, the client sends TGS-REQ to KDC every time i click on a link on the web page
Rasanth Akali Kandoth
rasanth at gmail.com
Wed Mar 13 00:58:49 EDT 2013
Hi Hudson,
Thanks for the quick response.
Regards,
Rasanth
On Wed, Mar 13, 2013 at 10:20 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 03/13/2013 12:30 AM, Rasanth Akali Kandoth wrote:
> > Hi,
> > When i enable delegation by setting the GSS_C_DELEG_FLAG
> > , gss_init_sec_context sends TGS req every time i click on a link on the
> > web page. basically for every request, the client sends a request for
> > service ticket.
> > Is this expected when you enable delegation ? if not, how can i avoid
> this?
>
> This is, unfortunately, a known bad interaction between Kerberos on the
> web and the way we implement ticket forwarding. We make a request to
> the KDC for a fresh TGT each time we forward Kerberos tickets, which is
> fine for use cases like ssh, but is very inefficient when you're doing
> negotiate auth with ticket forwarding on a whole bunch of HTTP requests.
>
>
--
Regards,
Rasanth
More information about the Kerberos
mailing list