Fwd: Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy

Alan Braggins alan.braggins at brocade.com
Tue Sep 1 14:36:15 EDT 2015


On 01/09/15 16:32, Russ Allbery wrote:
> Amit Thukral <amit.thukral403 at gmail.com> writes:
>
>> I am trying to implement kerberos authentication between clients and
>> windows KDC using certificates.
>
>> The product on which this needs to be implemented is a linux based
>> reverse proxy.
[...]
> If I'm understanding your problem description correctly, I'm not sure this
> is possible.  To get Kerberos tickets from a certificate (aka PKINIT), the
> client that has access to the certificate private key needs to do this
> directly.  An intermediate cannot do this, since it doesn't have access to
> the certificate private key.  So if you're trying to get the Linux reverse
> proxy to do the authentication on behalf of the user, that isn't going to
> work.

There's also constrained delegation, where the client authenticates to
the proxy using TLS client certificates or some other protocol and then
the proxy is trusted to get tickets on behalf of the clients, but it
doesn't sound like that's what he wants to do either.

-- 
http://www.brocade.com/products/all/application-delivery-controllers/index.page


More information about the Kerberos mailing list