This list is for discussion about development on the Kerberos for Windows (KfW) product. For the type of question you've asked below, it's probably best to post to the [email protected] list, which is a community resource for general Kerberos-related questions.
Thanks. -Tom Amit Thukral <[email protected]> writes: > Hi, > > I am trying to implement kerberos authentication between clients and > windows KDC using certificates. > The product on which this needs to be implemented is a linux based reverse > proxy. > We have already integrated a MIT Kerberos libraries with it and are able to > authenticate clients with Windows KDC. > i.e. we are able to get TGT on behalf the client (by setting forwardable > flag for AS Req), pass it back to the browser (client) and thus client > authenticates using that ticket with servers protected behind our product. > But for this as, as of now, when a user trying to access a service > protected behind our product, we prompt him with login form where he enters > his credentials, using which we call > krb5_get_init_creds_password api to send AS REQ and get TGT. > > Now, we want to achieve this using certificates. > Will it be the same API to be used using anchor and idenity-value from > certificate or is there any other API to be used to get TGT ? > I used the same API, able to get AS REP which has TGT but it doesn't get > stored in credential cache, not sure why ? > Am getting numeric error code of 5, from krb5int_get_init_creds function in > get_in_tkt.c > 1654 code = init_creds_get(context, ctx, use_master); > (gdb) > 1655 if (code != 0) > (gdb) p code > $5 = 5 > I dont know what it means ? > Is there any reference link which I can follow to do the certificate > generation and configuration on windows ? > > Also, Is it possible to achieve Contrained Delegation using certificates > for our product considering we are linux based reverse proxy, client and > server would be mostly windows? > > If this is not the right forum, kindly point me to the right mailing list. > > Thanks !! > Amit Thukral > _______________________________________________ > kfwdev mailing list > [email protected] > http://mailman.mit.edu/mailman/listinfo/kfwdev _______________________________________________ kfwdev mailing list [email protected] http://mailman.mit.edu/mailman/listinfo/kfwdev
