Search Mailing List Archives
Webauth and SPNEGO with credential delegation
joachim at keltsch.net
Sun Jun 17 04:08:35 PDT 2007
>> Is it enough to put the TGT there instead of the remuser token?
>> Is there a function within the webkdc library to read ticket cache files?
> The first pass I'd take at implementing this would probably be to use the
> proxyToken API with the WebKDC to obtain a real proxy token rather than a
> faked one.
> I'm not sure how much support is already there in the Perl layer for this.
> The better approach would be to enhance the requestToken API (and probably
> specifically the login token) to take a TGT instead of a password, which
> would be a cleaner and more maintainable approach in the long run. But it
> would be a bit more work and would mean protocol enhancements.
well, I think it could be enough to change the interpretation of the
protocol and leave the structure that goes over the wire untouched.
I assume the login user-interface ensures that a username be filled in
So it could leave the username empty to indicate that the password field
contains a TGT. This would also indicate that the username should be
taken from the TGT instead.
This way only the implementations of the webkdc and login page would change.
So this could be a quick solution and still leave room for protocol
enhancements in the future.
More information about the webauth-info