Thank you for the reply. I was able to re use the Credentials from gss_acquire_cred_impersonate_name() function by storing the creds specific to user in a datastructure. (I retrieve the creds from data structure and pass it to init_sec_context) i could avoid one TGS_REQ with that change but this is like a hack. I just wondered if kfw supported caching but you answered that. I will keep an eye out for the solution.
Thank You Greg. On Mon, Apr 3, 2017 at 12:40 PM, Greg Hudson <ghud...@mit.edu> wrote: > On 03/31/2017 01:37 PM, Rahul G wrote: > > I have a KCD implementation based on t_s4u.c, using > > gss_acquire_cred_impersonate_name() and gss_init_sec_context(). This > works > > fine, giving my impersonator an auth token to the target server on behalf > > of the client user. The problem is, my implementation does a TGS_REQ > > subsequently for the same user and same target server. Is there a way I > can > > reuse the credentials that I received with the first auth token. We want > to > > avoid unnecessary network traffic, especially since the tickets have the > > default expirations (10hrs). > > Unfortunately, we only made using cached S4U2Proxy credentials work in > krb5-1.15 [1], while the most recent KfW release is based on krb5-1.13. > I don't know of any application-level workaround that would help. As we > only make KfW releases infrequently, it may be some time before there is > a KfW release with this feature added; therefore, building the current > or 1.15 krb5 sources on Windows may be the only way to get this to work > in the near future. > > [1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=8372 > _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev