Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Webauth and SPNEGO with credential delegation

Joachim Keltsch joachim at
Sat Jun 16 07:43:44 PDT 2007

Hi folks,

I need Kerberos credential delegation to web-frontends. This way the
web-frontends may access databases, imap-servers, etc using Kerberos

This works out of the box with apache and mod-auth-kerb. However, this
has two serious drawbacks.
a) only TGTs can be forwarded
b) the TGT is forwarded for *each* HTTP request, and the application
will also request new service tickets with each request. This results in
heavy KDC load, as there may be many HTTP requests with each mouse click.

However, webauth seems to solve this problem. The user authenticates
once only at the login page and then credentials are wrapped into
cookies. So one KDC request only is made per session and service.

I've tried - and it work's perfectly. Thanks guys!
I get one TGT request and one service Request per session only - great!
It works for users authenticating using username and password.

It does not work for SPNEGO kerberized logins, of course. Apache only
supplies the username and that's it. So as I understand the docs, some
pseudo token is generated. This obviously cannot contain a TGT as apache
had none available.

However, I'd expect it to work for kerberized logins with ticket
forwarding - Apache then supplies not only the username but also a valid
ticket cache containing a TGT.

As I understand it, the webkdc obtains a TGT from the Kerberos KDC with
the password and username provided in the login form. This is somehow
wrapped into the cookies and used later.
So shouldn't it be possible to directly use the TGT provided by the
Web-Server instead and wrap that into the cookies? (Assuming that a TGT
has been forwarded, of course)

Did I miss some configuration option or is it not yet possible?

Thanks for any hints!


firefox SPNEGO configuration for TGT forwarding:
    network.negotiate-auth.trusted-uris: https://

apache Kerberos configuration to supply the TGT to applications:
        <Location "/login">
                AuthType Kerberos
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
                Krb5Keytab /etc/apache2/apache2.keytab
                KrbSaveCredentials on
                AuthName "Kerberos Realm KLB.EXAMPLE"
                require valid-user
                ErrorDocument 401 /login-plain

More information about the webauth-info mailing list