Search Mailing List Archives
Webauth and SPNEGO with credential delegation
joachim at keltsch.net
Sat Jun 16 07:43:44 PDT 2007
I need Kerberos credential delegation to web-frontends. This way the
web-frontends may access databases, imap-servers, etc using Kerberos
This works out of the box with apache and mod-auth-kerb. However, this
has two serious drawbacks.
a) only TGTs can be forwarded
b) the TGT is forwarded for *each* HTTP request, and the application
will also request new service tickets with each request. This results in
heavy KDC load, as there may be many HTTP requests with each mouse click.
However, webauth seems to solve this problem. The user authenticates
once only at the login page and then credentials are wrapped into
cookies. So one KDC request only is made per session and service.
I've tried - and it work's perfectly. Thanks guys!
I get one TGT request and one service Request per session only - great!
It works for users authenticating using username and password.
It does not work for SPNEGO kerberized logins, of course. Apache only
supplies the username and that's it. So as I understand the docs, some
pseudo token is generated. This obviously cannot contain a TGT as apache
had none available.
However, I'd expect it to work for kerberized logins with ticket
forwarding - Apache then supplies not only the username but also a valid
ticket cache containing a TGT.
As I understand it, the webkdc obtains a TGT from the Kerberos KDC with
the password and username provided in the login form. This is somehow
wrapped into the cookies and used later.
So shouldn't it be possible to directly use the TGT provided by the
Web-Server instead and wrap that into the cookies? (Assuming that a TGT
has been forwarded, of course)
Did I miss some configuration option or is it not yet possible?
Thanks for any hints!
firefox SPNEGO configuration for TGT forwarding:
apache Kerberos configuration to supply the TGT to applications:
AuthName "Kerberos Realm KLB.EXAMPLE"
ErrorDocument 401 /login-plain
More information about the webauth-info