[36254] in Kerberos
Re: Use of NT-ENTERPRISE name type via GSS-API
daemon@ATHENA.MIT.EDU (Alan Braggins)
Fri Jul 4 04:14:02 2014
Message-ID: <53B66230.9020601@riverbed.com>
Date: Fri, 04 Jul 2014 09:13:36 +0100
From: Alan Braggins <alan.braggins@riverbed.com>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <53B5A31A.2030104@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 03/07/14 19:38, Greg Hudson wrote:
> On 07/02/2014 05:36 AM, Alan Braggins wrote:
>> I'm using Kerberos constrained delegation (s4u2proxy)
>> for a proxy server that is authenticating clients to a
>> Microsoft Active Domain server.
>
> Can you explain more about what you're doing? I'm not immediately sure
> why you would need to import a UPN in order to do s4u2proxy.
>
> My understanding is that UPNs are used (1) during AS-requests, and (2)
> to identify the server when doing cross-realm S4U2Self (which we should
> do internally, but currently don't; that's issue #7790). I'm not sure
> where they would be involved for S4U2Proxy.
It's the s4u2self step that I'm using the UPN to identify the user,
but I'm using s4u2self to get a ticket to then use for s4u2proxy.
So in gss_acquire_cred_impersonate_name, my "desired_name" is a UPN
(which is parsed from an SSL client certificate subjectAlternateName).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
