[37210] in Kerberos
Fwd: Queries for Kerb Auth using Certificates and KCD for linux
daemon@ATHENA.MIT.EDU (Amit Thukral)
Tue Sep 1 07:44:22 2015
MIME-Version: 1.0
In-Reply-To: <ldvlhcrw4xn.fsf@sarnath.mit.edu>
Date: Tue, 1 Sep 2015 10:44:13 +0530
Message-ID: <CAJ62q=wg+myhMyUVBc0bNQ9pO-41ftKYf4zRL5iRSqpZBr4jXA@mail.gmail.com>
From: Amit Thukral <amit.thukral403@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I am trying to implement kerberos authentication between clients and
windows KDC using certificates.
The product on which this needs to be implemented is a linux based reverse
proxy.
We have already integrated a MIT Kerberos libraries with it and are able to
authenticate clients with Windows KDC.
i.e. we are able to get TGT on behalf the client (by setting forwardable
flag for AS Req), pass it back to the browser (client) and thus client
authenticates using that ticket with servers protected behind our product.
But for this as, as of now, when a user trying to access a service
protected behind our product, we prompt him with login form where he enters
his credentials, using which we call
krb5_get_init_creds_password api to send AS REQ and get TGT.
Now, we want to achieve this using certificates.
Will it be the same API to be used using anchor and idenity-value from
certificate or is there any other API to be used to get TGT ?
I used the same API, able to get AS REP which has TGT but it doesn't get
stored in credential cache, not sure why ?
Am getting numeric error code of 5, i.e. "Input/output error" from
following function in get_in_tkt.c
krb5int_get_init_creds (..) {
1654 code = init_creds_get(context, ctx, use_master);
(gdb)
1655 if (code != 0)
(gdb) p code
$5 = 5
I don't know what it means ?
Is there any reference link which I can follow to do the certificate
generation and required configuration on windows for my case ?
Am not clear which configuration option I have to follow ?
It will be great, if someone could help me with this.
Thanks !!
Amit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
