When delegation is enabled, the client sends TGS-REQ to KDC every time i click on a link on the web page

Rasanth Akali Kandoth rasanth at gmail.com
Wed Mar 13 00:58:49 EDT 2013

Hi Hudson,
Thanks for the quick response.

On Wed, Mar 13, 2013 at 10:20 AM, Greg Hudson <ghudson at mit.edu> wrote:

> On 03/13/2013 12:30 AM, Rasanth Akali Kandoth wrote:
> > Hi,
> > When i enable delegation by setting the  GSS_C_DELEG_FLAG
> > , gss_init_sec_context sends TGS req every time i click on a link on the
> > web page. basically for every request, the client sends a request for
> > service ticket.
> > Is this expected when you enable delegation ? if not, how can i avoid
> this?
> This is, unfortunately, a known bad interaction between Kerberos on the
> web and the way we implement ticket forwarding.  We make a request to
> the KDC for a fresh TGT each time we forward Kerberos tickets, which is
> fine for use cases like ssh, but is very inefficient when you're doing
> negotiate auth with ticket forwarding on a whole bunch of HTTP requests.


More information about the Kerberos mailing list