Updates (multi-realm) to Leash32...

[Jeffrey Altman]

Ken Hornstein wrote:

>>I never said that I wanted to pick which princical, just the realm.
>>    
>>
>
>Right .... buuutttt ...
>
>  
>
>>In an application, such as mulberry, I can tell the app with realm
>>I want to authenticate too.  I may have several identities in the
>>client, and each identity would have a different realm that it would
>>auth against.
>>    
>>
>
>But how are the clients managing these multiple identities?  Other than
>the Mac (and as it was pointed out, Reflection), you can't have multiple
>identities at the same time.
>
>In my experience, in the V5 world the service name determines the realm,
>but that doesn't affect the client principal chosen (because generally
>programs pick the "primary" principal out of the credential cache, and
>there is only one of them).
>  
>
It is certainly possible to have multiple credential caches.  I'm sure 
that Reflection does exactly what K95 does.  It creates separate caches 
for each principal name that is entered.  The trick it being able to 
choose which principal should be used for which connection.  The problem 
is that in order for this to work properly from within an application, 
the application must know the binding between principal names and the 
cache names.  

Mulberry or Reflection may have a database for each connection that 
assigns the principal to be used on that connection.  The application 
could then check the default credentials cache to see if it contains 
credentials for the required principal name.  If so, it uses those 
credentials.  If not, it creates a new cache and performs a TGT request 
on behalf of the user.  In so doing, it is able to maintain the binding 
between principal name and cache name; support multiple principals; and 
not destroy the default credentials.  




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/bf957ceb/attachment.htm