Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy

Amit Thukral amit.thukral403 at gmail.com
Tue Aug 25 07:53:42 EDT 2015


I am trying to implement kerberos authentication between clients and
windows KDC using certificates.
The product on which this needs to be implemented is a linux based reverse
We have already integrated a MIT Kerberos libraries with it and are able to
authenticate clients with Windows KDC.
i.e. we are able to get TGT on behalf the client (by setting forwardable
flag for AS Req), pass it back to the browser (client) and thus client
authenticates using that ticket with servers protected behind our product.
But for this as, as of now, when a user trying to access a service
protected behind our product, we prompt him with login form where he enters
his credentials, using which we call
krb5_get_init_creds_password api to send AS REQ and get TGT.

Now, we want to achieve this using certificates.
Will it be the same API to be used using anchor and idenity-value from
certificate or is there any other API to be used to get TGT ?
I used the same API, able to get AS REP which has TGT but it doesn't get
stored in credential cache, not sure why ?
Also, Is it possible to achieve Contrained Delegation using certificates
for our product considering we are linux based reverse proxy, client and
server would be mostly windows?

If this is not the right forum, kindly point me to the right mailing list.

Thanks !!

More information about the krbdev mailing list