Simo,
Thanks for your response. Do you know example to that support odbc connection string for
the second hop?
Here is an sample for t_sd4u.py (our middle tier are python based).
https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u.py
Two questions:
1. Do I replace service/1 with the HTTP TGT from our window client?
2. For second hop to database, do I replace the S4U2Self step with an ODBC connection to
our database?
Thanks again for your help.
Hugh
-----Original Message-----
From: Simo Sorce [mailto:simo@redhat.com]
Sent: Monday, June 16, 2014 9:11 AM
To: Xie, Hugh; gss-proxy(a)lists.fedorahosted.org
Cc: Tang, Thomas
Subject: Re: [gssproxy] Kerberos Double Hop
On Fri, 2014-06-13 at 14:43 +0000, Xie, Hugh wrote:
Hi,
We are looking at way to forward authenticate from a window client to
a HTTP based middle tier (internal to our organization) to a third
party database. We want the middle tier to impersonate the window
client id and pass the Kerberos authentication to the database. Below
is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerb
eros-double-hop.aspx
If gss-proxy support such scheme, can someone post code snippet (C/C
++) for the middle tier.
Hi Xie,
GSS-Proxy supports impersonation when using a local keytab, but not yet the full
delegation flow.
However GSS-Proxy is not necessary for simple s4u2proxy use.
You can find an example implementation here:
https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u2proxy_krb5.c
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain
information that is privileged, confidential and/or proprietary and subject to important
terms and conditions available at
http://www.bankofamerica.com/emaildisclaimer. If you
are not the intended recipient, please delete this message.