Hi,
We are looking at way to forward authenticate from a window client to a HTTP based middle tier (internal to our organization) to a third party database. We want the middle tier to impersonate the window client id and pass the Kerberos authentication to the database. Below is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-d...
If gss-proxy support such scheme, can someone post code snippet (C/C++) for the middle tier.
Thanks in advance.
---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
On 06/13/2014 10:43 AM, Xie, Hugh wrote:
Hi,
We are looking at way to forward authenticate from a window client to a HTTP based middle tier (internal to our organization) to a third party database. We want the middle tier to impersonate the window client id and pass the Kerberos authentication to the database. Below is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-d...
If gss-proxy support such scheme, can someone post code snippet (C/C++) for the middle tier.
Thanks in advance.
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
gss-proxy mailing list gss-proxy@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/gss-proxy
It is not exactly how it should work. I mean the article is technically correct but not the best approach. Instead of forwarding TGT ticket to the Server 1 user just will use ST for this service as in the normal workflow. The server 1 then should be entitled by KDC to be able to request a ticket to Server 2 on behalf of user. It is called S4u2proxy. You can Google the term and read more about it. Here is a good blog https://ssimo.org/blog/id_011.html
I think gss-proxy is already capable of doing something like this but I would leave to Simo to comment. If you want to implement s4u2proxy just read MIT docs and seek help on kerb-dev.
On Fri, 2014-06-13 at 14:43 +0000, Xie, Hugh wrote:
Hi,
We are looking at way to forward authenticate from a window client to a HTTP based middle tier (internal to our organization) to a third party database. We want the middle tier to impersonate the window client id and pass the Kerberos authentication to the database. Below is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-d...
If gss-proxy support such scheme, can someone post code snippet (C/C ++) for the middle tier.
Hi Xie, GSS-Proxy supports impersonation when using a local keytab, but not yet the full delegation flow. However GSS-Proxy is not necessary for simple s4u2proxy use.
You can find an example implementation here: https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u2proxy_krb5.c
HTH, Simo.
Simo,
Thanks for your response. Do you know example to that support odbc connection string for the second hop? Here is an sample for t_sd4u.py (our middle tier are python based). https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u.py Two questions: 1. Do I replace service/1 with the HTTP TGT from our window client? 2. For second hop to database, do I replace the S4U2Self step with an ODBC connection to our database?
Thanks again for your help. Hugh
-----Original Message----- From: Simo Sorce [mailto:simo@redhat.com] Sent: Monday, June 16, 2014 9:11 AM To: Xie, Hugh; gss-proxy@lists.fedorahosted.org Cc: Tang, Thomas Subject: Re: [gssproxy] Kerberos Double Hop
On Fri, 2014-06-13 at 14:43 +0000, Xie, Hugh wrote:
Hi,
We are looking at way to forward authenticate from a window client to a HTTP based middle tier (internal to our organization) to a third party database. We want the middle tier to impersonate the window client id and pass the Kerberos authentication to the database. Below is a webpage on this double hop scheme on window.
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerb eros-double-hop.aspx
If gss-proxy support such scheme, can someone post code snippet (C/C ++) for the middle tier.
Hi Xie, GSS-Proxy supports impersonation when using a local keytab, but not yet the full delegation flow. However GSS-Proxy is not necessary for simple s4u2proxy use.
You can find an example implementation here: https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u2proxy_krb5.c
HTH, Simo.
-- Simo Sorce * Red Hat, Inc * New York
---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
On Mon, 2014-06-16 at 13:49 +0000, Xie, Hugh wrote:
Simo,
Thanks for your response. Do you know example to that support odbc connection string for the second hop? Here is an sample for t_sd4u.py (our middle tier are python based). https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u.py Two questions:
- Do I replace service/1 with the HTTP TGT from our window client?
service/1 should be the service name of the service accepting the connection from a client (the proxying service)
service/2 is the final target
- For second hop to database, do I replace the S4U2Self step with an ODBC connection to our database?
The s4u2self step is replaced by whatever inbound connection you get from your clients. When clients connect to service/1 they send you a ticket, that ticket is used as evidence with s4u2proxy to obtain a ticket for service/2
Simo.
One more question, when running the final s4u. It always uses realm.run which spawns off separate processes. Is this necessary? Spawning separate processes could represent some overhead of our middle tier application.
-----Original Message----- From: Simo Sorce [mailto:simo@redhat.com] Sent: Monday, June 16, 2014 10:00 AM To: Xie, Hugh Cc: gss-proxy@lists.fedorahosted.org; Tang, Thomas; McDougall, Daniel Subject: Re: [gssproxy] Kerberos Double Hop
On Mon, 2014-06-16 at 13:49 +0000, Xie, Hugh wrote:
Simo,
Thanks for your response. Do you know example to that support odbc connection string for the second hop? Here is an sample for t_sd4u.py (our middle tier are python based). https://github.com/krb5/krb5/blob/master/src/tests/gssapi/t_s4u.py Two questions:
- Do I replace service/1 with the HTTP TGT from our window client?
service/1 should be the service name of the service accepting the connection from a client (the proxying service)
service/2 is the final target
- For second hop to database, do I replace the S4U2Self step with an ODBC connection to our database?
The s4u2self step is replaced by whatever inbound connection you get from your clients. When clients connect to service/1 they send you a ticket, that ticket is used as evidence with s4u2proxy to obtain a ticket for service/2
Simo.
-- Simo Sorce * Red Hat, Inc * New York
---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
On Mon, 2014-06-16 at 14:32 +0000, Xie, Hugh wrote:
One more question, when running the final s4u. It always uses realm.run which spawns off separate processes. Is this necessary? Spawning separate processes could represent some overhead of our middle tier application.
It is not necessary at all. Simo.
gss-proxy@lists.fedorahosted.org