Make Windows Firefox Use Ticket gained via OpenConnect VPN Connection

Benjamin Kaduk kaduk at mit.edu
Sun Oct 21 18:10:39 EDT 2018


The description of current and desired behavior is a bit sparse, but it
seems like the key question is whether/where openconnect stores the
kerberos ticket obtained during VPN connection.  If it's stored someplace
accessible, the rest would just be a matter of getting the different tools
plumbed together properly.  But if the KfW ticket manager does not show any
credentials after the openconnect login, it may be that openconnect is not
storing the ticket anywhere, in which case a software change would be
needed to openconnect to get it to do so.

-Ben

On Sat, Oct 20, 2018 at 10:09:57PM +0200, chiasa.men wrote:
> I have an openconnect server where I can login with kerberos credentials (the 
> vpn server basically also works as proxy to the kdc within said vpn - more 
> detailed description: https://access.redhat.com/blogs/766093/posts/1976663)
> 
> Now I can connect with a windows machine (using openconnect-gui) with my 
> kerberos credentials. Which works.
> 
> The next step shall be to use the gained ticket further for webservices within 
> that vpn. How can I tell the browser (e.g. Firefox) to use the ticket gained 
> by openconnect? Is there any way to achieve this?
> 
> I also installed the MIT Kerberos Ticket Manager for Windows. Here (https://
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> windows-workstation-to-hd.html) is desribed that it is possible to use that 
> Manager with firefox in order to authenticate to webservices. Although I 
> haven't been able to accomplish that, would it be possible to tell MIT 
> Kerberos Ticket Manager to use the Ticket of the vpn login?
> 
> Is there already a 'usual way' to achieve something like sso via vpn with 
> kerberos with windows clients?
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list