Updates (multi-realm) to Leash32...
jaltman at columbia.edu
Fri Jan 10 18:19:01 EST 2003
Ken Hornstein wrote:
>>I never said that I wanted to pick which princical, just the realm.
>Right .... buuutttt ...
>>In an application, such as mulberry, I can tell the app with realm
>>I want to authenticate too. I may have several identities in the
>>client, and each identity would have a different realm that it would
>But how are the clients managing these multiple identities? Other than
>the Mac (and as it was pointed out, Reflection), you can't have multiple
>identities at the same time.
>In my experience, in the V5 world the service name determines the realm,
>but that doesn't affect the client principal chosen (because generally
>programs pick the "primary" principal out of the credential cache, and
>there is only one of them).
It is certainly possible to have multiple credential caches. I'm sure
that Reflection does exactly what K95 does. It creates separate caches
for each principal name that is entered. The trick it being able to
choose which principal should be used for which connection. The problem
is that in order for this to work properly from within an application,
the application must know the binding between principal names and the
Mulberry or Reflection may have a database for each connection that
assigns the principal to be used on that connection. The application
could then check the default credentials cache to see if it contains
credentials for the required principal name. If so, it uses those
credentials. If not, it creates a new cache and performs a TGT request
on behalf of the user. In so doing, it is able to maintain the binding
between principal name and cache name; support multiple principals; and
not destroy the default credentials.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the krbdev