Fwd: Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy

Amit Thukral amit.thukral403 at gmail.com
Tue Sep 1 01:14:13 EDT 2015


Hi,

I am trying to implement kerberos authentication between clients and
windows KDC using certificates.
The product on which this needs to be implemented is a linux based reverse
proxy.
We have already integrated a MIT Kerberos libraries with it and are able to
authenticate clients with Windows KDC.
i.e. we are able to get TGT on behalf the client (by setting forwardable
flag for AS Req), pass it back to the browser (client) and thus client
authenticates using that ticket with servers protected behind our product.
But for this as, as of now, when a user trying to access a service
protected behind our product, we prompt him with login form where he enters
his credentials, using which we call
krb5_get_init_creds_password api to send AS REQ and get TGT.

Now, we want to achieve this using certificates.
Will it be the same API to be used using anchor and idenity-value from
certificate or is there any other API to be used to get TGT ?
I used the same API, able to get AS REP which has TGT but it doesn't get
stored in credential cache, not sure why ?
Am getting numeric error code of 5, i.e. "Input/output error" from
following function in get_in_tkt.c
 krb5int_get_init_creds (..) {
1654        code = init_creds_get(context, ctx, use_master);
(gdb)
1655        if (code != 0)
(gdb) p code
$5 = 5
I don't know what it means ?
Is there any reference link which I can follow to do the certificate
generation and required configuration on windows for my case ?
Am not clear which configuration option I have to follow ?
It will be great, if someone could help me with this.

Thanks !!
Amit


More information about the Kerberos mailing list