Thanks Tom. On Sep 1, 2015 2:28 AM, "Tom Yu" <t...@mit.edu> wrote:
> This list is for discussion about development on the Kerberos for > Windows (KfW) product. For the type of question you've asked below, > it's probably best to post to the kerbe...@mit.edu list, which is a > community resource for general Kerberos-related questions. > > Thanks. > > -Tom > > Amit Thukral <amit.thukral...@gmail.com> writes: > > > Hi, > > > > I am trying to implement kerberos authentication between clients and > > windows KDC using certificates. > > The product on which this needs to be implemented is a linux based > reverse > > proxy. > > We have already integrated a MIT Kerberos libraries with it and are able > to > > authenticate clients with Windows KDC. > > i.e. we are able to get TGT on behalf the client (by setting forwardable > > flag for AS Req), pass it back to the browser (client) and thus client > > authenticates using that ticket with servers protected behind our > product. > > But for this as, as of now, when a user trying to access a service > > protected behind our product, we prompt him with login form where he > enters > > his credentials, using which we call > > krb5_get_init_creds_password api to send AS REQ and get TGT. > > > > Now, we want to achieve this using certificates. > > Will it be the same API to be used using anchor and idenity-value from > > certificate or is there any other API to be used to get TGT ? > > I used the same API, able to get AS REP which has TGT but it doesn't get > > stored in credential cache, not sure why ? > > Am getting numeric error code of 5, from krb5int_get_init_creds function > in > > get_in_tkt.c > > 1654 code = init_creds_get(context, ctx, use_master); > > (gdb) > > 1655 if (code != 0) > > (gdb) p code > > $5 = 5 > > I dont know what it means ? > > Is there any reference link which I can follow to do the certificate > > generation and configuration on windows ? > > > > Also, Is it possible to achieve Contrained Delegation using certificates > > for our product considering we are linux based reverse proxy, client and > > server would be mostly windows? > > > > If this is not the right forum, kindly point me to the right mailing > list. > > > > Thanks !! > > Amit Thukral > > _______________________________________________ > > kfwdev mailing list > > kfwdev@mit.edu > > http://mailman.mit.edu/mailman/listinfo/kfwdev > _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev