Confusion about delegation

John Byrne jhnbyrn at gmail.com
Thu Jan 31 13:32:45 EST 2019 

Hi,

I'm confused about a couple of points regarding delegation - could anyone
help to educate me please?

I am trying to perform a constrained delegation authentication with a web
application. The user authenticates to a web application (principal HTTP/
www.example.com) and that web application then authenticates to another web
app (HTTP/datastore.examle.com).

Based on the information here (
https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html) I think I
need the first web app to get proxy credentials for the user from the KDC,
then initialize a security context using those creds, and then use the
token it gets from that security context to authenticate against second web
app as that user. Have I read that correctly?

With this in mind, I'm using the following code on the intermediate server.
It's using the python-gssapi library, which uses MIT krb5 underneath (v
1.15.1). Hopefully it's clear what's happening here in pure gssapi terms:

    name = gssapi.Name('HTTP/www.example.com',) #the principal for this
service
    creds = gssapi.Credentials(name=name, usage='initiate')
    username = gssapi.Name('kerbtestjohn') # the user that this service
wants to impersonate
    proxy_creds = creds.impersonate(username, usage='initiate')
    target_name = gssapi.Name('HTTP/datastore.example.com') # the service
that this service wants to access as the impersonated user
    client_ctx = gssapi.SecurityContext(name=target_name,
creds=proxy_creds, usage='initiate')
    initial_client_token = client_ctx.step()
    t = base64.b64encode(initial_client_token)
    headers = {'Authorization': 'Negotiate ' + t}
    r = requests.get('http://datastore.example.com/', headers=headers)

The client_ctx.step() call returns this error: gssapi.raw.misc.GSSError:
Major (851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): Matching credential not found

I've made sure that the target_name principal is in the default keytab, but
honestly I'm not even sure why it's looking for a credential for this
principal at this point. In any case, having it in the keytab doesn't seem
to help.

The surprising thing is that if I initialize the context with the other
name instead (HTTP/www.example.com), then this code works perfectly, and
authenticates me as 'kerbtestjohn' to www.datastore.com. I didn't think
that should work. Even stranger, if I omit the proxy_creds from the
SecurityContext, then it also works, using either of the 2 service names.
So I can impersonate users without the proxy creds!? Shouldn't that be
rejected?

The final confusing thing is that I don't have the 'ok_to_auth_as_delegate'
bit set on any of my principals. Shouldn't I have to set that for HTTP/
www.example.com  in order for that service to be able to impersonate a user?

The datastore.example.com service is using nginx +
spnego-http-auth-nginx-module. Again, this uses MIT krb5 (same version,
1.15.1). I don't see any signs that this component is not working
correctly. It's definitely enforcing authentication.

Can anyone explain what I'm doing wrong here? Thanks in advance for any
insight you can provide!

-John

More information about the Kerberos mailing list