Multi-Hop Authentication and Constrained Delegation?
Robert Wehn
robert.wehn at rz.uni-augsburg.de
Wed May 22 14:17:38 EDT 2019
Dear List,
we are looking into a multi-hop, single-sign-on authentication in the
context of file service and sync & share like front-end to the file
service. The scenario would be as follows:
- User is (kerberos-)authenticated to the client OS.
- The sync & share client (imagine NextCloud or similar) on the
client OS authenticates the user with a Kerberos ticket to the
sync & share server: first hop.
- The sync & share server accesses (on behalf of the user, i.e.
impersonated) the file service (also known as "external storage"),
based on a kerberos authentication: second hop.
We are a little bit lost, how to accomplish a thing like that. We were
in the first place discussing ticket forwarding, but people dislike
forwarding of tgt's... So we were directed to the concept of
"constrained delegation", sometimes used in Microsoft/AD environments.
It looks like that constrained delegation is implemented in MIT since
Version 1.8:
http://web.mit.edu/KERBEROS/krb5-1.11/doc/mitK5features.html
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation
However we are lacking the information, of how to actually implement and
use it on the application side.
How to implement constrained delegation in an application?
Is there an open source application out there, where one could see and
learn, how to implement constrained delegation?
Does Apache implement anything in that kind, one could build and rely on?
Is there a recommended way (library, bindings, anything, ...), in order
to implement kerberos-mechanics in a PHP application?
Best regards
Robert
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
More information about the Kerberos
mailing list