Getting started

Harvey Kravis harvey.kravis at
Tue Jul 8 17:50:07 EDT 2003

I have several related questions:

1)  I have a client/server database application and would like to
authenticate w/Kerberos independently of the database.  In other words, I
just want to authenticate with Kerberos and will handle database
authentication separately.  The question I have is this:  is getting a TGT
through my application sufficient authentication?  Or do I also need to have
a homegrown server app grant me a regular ticket?  It seems to me that a TGT
is sufficient because it is username/password based, my users have to enter
a username and password each time they log in, and I'd like to avoid the
complexity of the socket thing and granting regular tickets.  Each Kerberos
user relates to a corresponding database user.  All of the database users
will have the same password known only to my program.

2) If I want to provide single sign-on in the future, is there a way to
programmatically determine which Kerberos user the current TGT is for under
the above scenario?  I need to know which database user to log in with in
that situation.

3) Is there good sample code out there that anyone can recommend?  I have
the "Kerberos, A Network Authentication System" book by Brian Tung, but I'm
looking for something better.

4) What's a good source of information for doing this kind of authentication
(Kerberos independent of the database) in a web (.NET) application?

Any help would be appreciated!

Harvey Kravis
SunGard BSR Inc.

More information about the krbdev mailing list