About Kerberos user delegation based on client SSL certificate

猛牛 piggyobserver at gmail.com
Wed Aug 27 23:27:03 EDT 2014

Hi, Team,
I am developing a HTTP proxy which wants to make Kerberos user delegation
based on client SSL certificate.
In our case, what the proxy can get from the clients are their public
certificates. Our KDC is on Windows Server 2008. On the server, these
client certificates are mapping to corresponding user accounts on AD. And
we created a user account for the proxy which has Kerberos delegation
privilege. To make HTTP user Kerberos delegation, the proxy needs to obtain
service ticket on the behalf of the client with the client's public
certificate(here we don't have client private key).

My question: does the latest krb5 library support this requirement - making
Kerberos user delegation based on client certificate? If supported, are
there any documents  or code example? I am a newbie for Kerberos. Any help
will be much appreciated!

BTW, I checked the source code of krb5-1.12.1 and found a relevant function
listed as below. The function has a "subject_cert" argument. I don't know
if we should use the function. I also searched the function on Internet.
Unfortunately, there are very few information about it.

krb5_error_code KRB5_CALLCONV
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
                              krb5_ccache ccache, krb5_creds *in_creds,
                              krb5_data *subject_cert,
                              krb5_creds **out_creds)

More information about the krbdev mailing list