Reputation: 1
Kerberos/negotiate S4U2proxy authenticate on behalf of user
I would like to do authentication at proxy on behalf of user via Kerberos/Negotiate protocol. user will authenticate with form login with server, server knows the who the user is, and server has to authenticate to backend server on behalf of user using kerberos.
Please help me with sample code or point me to some good references.
thank you in advance
-csr
Upvotes: 0
Views: 3355
Answers (2)
Reputation: 1101
Michael: the OP is asking about what MS calls "constrained delegation," the S4U Kerberos extension they invented, rather than the standard delegation (TGT forwarding) to which you're referring.
CSR: first off: is the user providing their Kerberos password in your "form login?" If so, you don't need to use S4U; you can just kinit with the password and get credentials directly.
If not, then this is indeed one use case for which S4U is intended. You didn't say, but I'll assume you're in a Windows environment, although S4U has been added to MIT Kerberos as well.
Rather than have the client forward a TGT, S4U allows the domain administrator to authorize a service principal to independently impersonate any user to a limited set of other services. To enable a service for constrained delegation:
- MMC "Users and Computers" snap-in
- select the properties for the service account
- "Delegation" tab
- "trust... for delegation to specified services"
In your case, you'll also need to set "use any authentication protocol;" this enables "protocol transition." If your service were authenticating the user with Kerberos, you could have the DC require the service to present a recent ticket from the client, proving it has some business doing this. Since you're using different authentication method, though, you have to forgo that check; that's what protocol transition does.
I'd start here for understanding S4U: http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx.
I have written a patch for Apache mod_auth_kerb implementing constrained delegation for Unix web services, so it does in fact work. :)
Upvotes: 1
Reputation: 18405
Have the client to send a forwardable (OK-AS-DELEGATE) ticket to you. You can extract the TGT from that and impersonate to perform your task. This works in my case when I receive a service ticket from IE or FF and bind against the AD for the user.
Upvotes: 0
Related Questions
- Kerberos: S4U2self ticket must be FORWARDABLE (Containerproxy)
- Using Java 8 S4U2Proxy - A good example needed
- How to impersonate or delegate on kerberos with python?
- Kerberos, unable to use S4U2Self and S4U2Proxy extensions with MIT KDC Server
- ASP double hop request in kerberos delegation scenario
- How could impersonate in kerberos?
- how to implement Kerberos protocol transition in Java? (S4U2Self)
- Programmatic Impersonation Delegation For Remote Resources (Double-Hop)
- Kerberos, delegation and how to do this correctly?
- How to get NegotiateStream to use Kerberos?