Secure authentication to AD
jaltman at columbia.edu
Wed Aug 11 21:49:47 EDT 2004
Pal, Dmitri wrote:
>As far as I understand the Active Directory is my KDC in this case.
the Windows domain controller is your KDC
>So I initialize gss context using GSS api. That crerates some data that is sent to the AD via LDAP SASL bind. Server cracks this data using GSS api on its side and creates TGT ticket which it sends back (encrypted with user password). Correct?
no. you must have a TGT issued by the domain controller before you
attempt to use SASL GSSAPI.
GSSAPI will use the TGT you already have to obtain a service ticket for
the Active Directory. The
service ticket will be used to perform authentication with the service
and provide a session key to
be used for data protection operations.
>But now what? Where do I need to supply the password?
You supplied the username and password during the login process. In
Windows obtaining a
TGT may be a side effect of WinLogon or RunAs.
On Unix, you configure the login process to use a Kerberos 5 pam module
to obtain a TGT
or you use the kinit command.
>I have not found any place in any function in GSSAPI (may be I have not looked deeply enough)
>where I need to pass in the password for the user account?
GSSAPI does not provide credential management operations.
>As fas as I understand the GSSAPI Kerberosv5 implementation should be self contained - i.e. internally it does not do any communication with KDC. All the credential information is passed in, it does the processing signing, etc. and creates the security token that I need to send over to server through some mechanizm
>(in my case LDAP SASL).
This is not true. GSSAPI communicates with the Kerberos 5
implementation which will contact the
KDC as needed to obtain a service ticket if one is not already cached.
>I cannot relay on having any other credential from previous (local) authentication because the software
>I am developing should be platform independent (UNIX,Linux,Windows) so the TGT that one can have on windows is not available on UNIX. And please do not tell me that to solve this problem from UNIX the only way is to install the KDC on UNIX and establish trust with AD - that would be too much.
You can configure the MIT Kerberos libraries on Unix to use the Windows
More information about the krbdev