Re: Delegated Kerberos through a CGI
- From: AWillemsen <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Apr 2008 04:54:00 -0700
Thanks for the reply.
Does anyone know how to use the Windows Security API to generate a new
ticket that allows the original user to be impersonated? Alternatively, is
this documented anywhere or are there code examples? What should the code do
with the key passed in HTTP_AUTHORIZATION (if anything)?
Thanks...
"Ken Schaefer" wrote:
No - you can't just pass on the Kerberos service ticket. Your CGI (probably.
using the Windows security APIs) needs to get a new service ticket to the
backend server.
How Kerberos works (explains the concept of a service ticket)
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx
How it works in a delegated scenario:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/28/1282.aspx
Cheers
Ken
"AWillemsen" <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A181E6F3-12C2-4682-9C19-10BFE32B6887@xxxxxxxxxxxxxxxx
Hi,
I'm trying to get a CGI to use delegated Kerberos authentication. The
environment is IE6 on the client (A) and IIS6 on two servers (B and C).
Delegated authentication is working with ASP, according to
http://support.microsoft.com/kb/314404 but when I substitute the CGI for
"Test1.asp" (both running on the server B in the same virtual directory
and
accessed using the same URL) the authentication against server C fails
with a
401.1 error.
So, I guess the problem is in the CGI code. The CGI (on server B) gets
the
authentication protocol and key from the browser (on server A) in the
HTTP_AUTHORIZATION variable. At the moment, the code is just passing this
protocol and key on to server C in the Authorization: HTTP header. This
works fine for Basic authentication but not for Kerberos. Does the code
need
to do something special with the key for Kerberos before passing it on?
Some notes:
1) The CGI is written in portable C++ and accesses HTTP resources
directly
through a socket library (Winsock 1.1 on Windows) so has complete control
over the HTTP headers
2) It already supports NTLM/Kerberos/Negotiate (not delegated) with help
from the Windows Security API
3) I have verified that, although the protocol from the browser is
"Negotiate", the key received by the CGI from the browser is Kerberos and
not
NTLM (by looking at its length)
Thanks for any help...
- References:
- Delegated Kerberos through a CGI
- From: AWillemsen
- Re: Delegated Kerberos through a CGI
- From: Ken Schaefer
- Delegated Kerberos through a CGI
- Prev by Date: Re: IIS authentication
- Next by Date: Re: Is HTTPS Url Exposed?
- Previous by thread: Re: Delegated Kerberos through a CGI
- Next by thread: Is HTTPS Url Exposed?
- Index(es):
Relevant Pages
|
