On Mon, Jul 9, 2018, 16:38 Sachin Nikumbh <[email protected]> wrote:
> Hi, > > Thanks for your response. I do have a follow up question. Since the > libcurl option is GSSAPI based, how will Kerberos delegation work on > Windows with SSPI if we need to use libcurl? > > Thanks > Sachin > > On Mon, Jul 9, 2018 at 2:49 AM Isaac Boukris <[email protected]> wrote: > >> >> >> On Mon, Jul 9, 2018, 05:30 Sachin Nikumbh <[email protected]> wrote: >> >>> Hi, >>> >>> >>> >>> I am looking at libcurl’s support on Kerberos delegation. >>> >>> The only thing I found is CURLOPT_GSSAPI_DELEGATION added in 7.22.0. >>> >>> https://curl.haxx.se/libcurl/c/CURLOPT_GSSAPI_DELEGATION.html >>> >>> However, there are several issues with this option: >>> >>> 1. Looks like this option is for the original Kerberos v5 delegation >>> (unconstrained delegation for any services), not the Microsoft Kerberos >>> protocol extension for constrained delegation. >>> 2. It’s using GSSAPI. So does it work natively on Windows with SSPI? >>> >>> >>> >>> The preferred way to do Kerberos delegation is to do protocol transition >>> (S4U2Self) and Constrained delegation (S4U2Proxy). >>> >>> https://msdn.microsoft.com/en-us/library/cc246071.aspx >>> >>> https://k5wiki.kerberos.org/wiki/Projects/Services4User >>> >>> >>> >>> Is this supported in libcurl? >>> >>> If not, is there any plan to support it? >>> >> >> >> It doesn't have much to do with libcurl, if the contains the delegated >> credentials (e.g. acquired via gss_acquire_cred_impersonate_name) they will >> be used by the gssapi library when invoked by libcurl. >> > I don't know about delegation in sspi, it might be possible to achieve something similar depending on the API. >
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
