[39404] in Kerberos
Re: Kerberos token
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Mar 22 15:28:55 2024
Message-Id: <202403221927.42MJRNx0002777@hedwig.cmf.nrl.navy.mil>
To: "m_a_n_j_u_s_k@yahoo.com" <m_a_n_j_u_s_k@yahoo.com>
cc: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <628253825.301474.1711129798132@mail.yahoo.com>
MIME-Version: 1.0
Date: Fri, 22 Mar 2024 15:27:23 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>Hi, I have an application that authenticates against a Proxy server
>which user Kerberos authentication scheme. My application is using SSPI
>library (github/alexbrainman/sspiĀ Golang package to be exact) generate
>a kerberos token and this token is passed to the Proxy server through
>Proxy-Authorization header "Proxy-Authorization: Negotiate <kerberos
>token>" My query, for the subsequent calls to the proxy do I need to
>regenerate this key or can I reuse the one generated the first time ?
>Or is it that each call to the proxy is treated as a session and that
>Kerberos token is for that session only ?
As a general rule, GSSAPI tokens (which in the specific case of Kerberos
contain AP-REQ/AP-REP messages) are supposed to be only used once;
they contain an expiration time in them and are supposed to be checked
for reuse on the server side (although that may not always happen
depending on implementation details). You should always get a new
one by calling the appropriate APIs. Note that assuming your client
is using a standard ticket cache only the first request will require
contacting the KDC.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
