kaduk at mit.edu
Wed Oct 31 12:00:37 EDT 2018
On Wed, Oct 31, 2018 at 02:36:39PM +0000, moore moore wrote:
> Hello,I hope I have the correct forum for some guidance.
> I have the following scenario:
> Clients(generally web based), linux proxy and windows server farm.The proxy is configured with a user that is configured for kerberos constrained delegation.A TGT is granted for this user with delegation enabled.
> TGS are also granted and everything works OK.
> However I have a resource utilization problem on the proxy where the windows servers are frequently requesting re authorization with 401 Negotiate.
> This causes and intermediate process on the proxy to contact the KDC for new TGS.
> Is there a way for the intermediate process to generate service tickets without having to go to the KDC? It already has the TGT.
> Or is a round trip to the KDC ( Windows AD) always required to get service tickets?
The TGT is used to authenticate to the TGS so that the TGS can issue
service tickets; the TGT alone is not enough to produce service tickets.
> Due to the connection behavior, there are very many TGS_REQs on the wire.
> Is there any way to optimize this behavior and avoid so much traffic back and forth to the KDC for TGS_REQ/TGS_RSP.
Are the 401 Negotiates doing credential delegation or just authentication?
For authentication the clients should be able to cache service tickets and
reuse them, without need for a TGS exchange for every HTTP authentication.
More information about the krbdev