About Kerberos user delegation based on client SSL certificate

Greg Hudson ghudson at mit.edu
Thu Aug 28 11:46:33 EDT 2014

On 08/27/2014 11:27 PM, 猛牛 wrote:
> My question: does the latest krb5 library support this requirement - making
> Kerberos user delegation based on client certificate?

MIT krb5 has supported S4U2Self (aka protocol transition) and S4U2Proxy
(aka constrained delegation) since release 1.8.  Unfortunately, it is
not yet documented as well as it should be.  For now, the project page
at http://k5wiki.kerberos.org/wiki/Projects/Services4User is the only

At this time we don't have public APIs for presenting the user's
certificate during S4U2Self.  The KDC would only use the certificate to
identify the user, not as an authentication credential, so if you
already have a way to pick a username based on the certificate, this
shouldn't be a problem.

The public interface for S4U2Self is gss_acquire_cred_impersonate_name.
 (The krb5_get_credentials_for_user function you found earlier is a
badly-named internal interface.)  You can find an example program using
gss_acquire_cred_impersonate_name in src/tests/gssapi/t_s4u.c in our
source tree.

Once you have performed S4U2Self using
gss_acquire_cred_impersonate_name, you can perform S4U2Proxy and
authentication to the target service simply by calling
gss_init_sec_context with the credentials you acquired.

More information about the krbdev mailing list