Hi, I'm confused about a couple of points regarding delegation - could anyone help to educate me please?
I am trying to perform a constrained delegation authentication with a web application. The user authenticates to a web application (principal HTTP/ www.example.com) and that web application then authenticates to another web app (HTTP/datastore.examle.com). Based on the information here ( https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html) I think I need the first web app to get proxy credentials for the user from the KDC, then initialize a security context using those creds, and then use the token it gets from that security context to authenticate against second web app as that user. Have I read that correctly? With this in mind, I'm using the following code on the intermediate server. It's using the python-gssapi library, which uses MIT krb5 underneath (v 1.15.1). Hopefully it's clear what's happening here in pure gssapi terms: name = gssapi.Name('HTTP/www.example.com',) #the principal for this service creds = gssapi.Credentials(name=name, usage='initiate') username = gssapi.Name('kerbtestjohn') # the user that this service wants to impersonate proxy_creds = creds.impersonate(username, usage='initiate') target_name = gssapi.Name('HTTP/datastore.example.com') # the service that this service wants to access as the impersonated user client_ctx = gssapi.SecurityContext(name=target_name, creds=proxy_creds, usage='initiate') initial_client_token = client_ctx.step() t = base64.b64encode(initial_client_token) headers = {'Authorization': 'Negotiate ' + t} r = requests.get('http://datastore.example.com/', headers=headers) The client_ctx.step() call returns this error: gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Matching credential not found I've made sure that the target_name principal is in the default keytab, but honestly I'm not even sure why it's looking for a credential for this principal at this point. In any case, having it in the keytab doesn't seem to help. The surprising thing is that if I initialize the context with the other name instead (HTTP/www.example.com), then this code works perfectly, and authenticates me as 'kerbtestjohn' to www.datastore.com. I didn't think that should work. Even stranger, if I omit the proxy_creds from the SecurityContext, then it also works, using either of the 2 service names. So I can impersonate users without the proxy creds!? Shouldn't that be rejected? The final confusing thing is that I don't have the 'ok_to_auth_as_delegate' bit set on any of my principals. Shouldn't I have to set that for HTTP/ www.example.com in order for that service to be able to impersonate a user? The datastore.example.com service is using nginx + spnego-http-auth-nginx-module. Again, this uses MIT krb5 (same version, 1.15.1). I don't see any signs that this component is not working correctly. It's definitely enforcing authentication. Can anyone explain what I'm doing wrong here? Thanks in advance for any insight you can provide! -John ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos