On 06/13/2014 10:43 AM, Xie, Hugh wrote:
Hi,
We are looking at way to forward authenticate from a window client to
a HTTP based middle tier (internal to our organization) to a third
party database. We want the middle tier to impersonate the window
client id and pass the Kerberos authentication to the database. Below
is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerbero...
If gss-proxy support such scheme, can someone post code snippet
(C/C++) for the middle tier.
Thanks in advance.
------------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s)
only, may contain information that is privileged, confidential and/or
proprietary and subject to important terms and conditions available at
http://www.bankofamerica.com/emaildisclaimer. If you are not the
intended recipient, please delete this message.
_______________________________________________
gss-proxy mailing list
gss-proxy(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/gss-proxy
It is not exactly how it should work.
I mean the article is technically correct but not the best approach.
Instead of forwarding TGT ticket to the Server 1 user just will use ST
for this service as in the normal workflow. The server 1 then should be
entitled by KDC to be able to request a ticket to Server 2 on behalf of
user. It is called S4u2proxy. You can Google the term and read more
about it.
Here is a good blog
https://ssimo.org/blog/id_011.html
I think gss-proxy is already capable of doing something like this but I
would leave to Simo to comment.
If you want to implement s4u2proxy just read MIT docs and seek help on
kerb-dev.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.