Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Benjamin Kaduk
On Thu, 25 Aug 2016, Rick van Rein wrote: > >>> Forwarding a TGT is bad because it is unbounded impersonation. > >> Only when the corresponding key is supplied alongside! [I hope I'm > >> not taking anything out of context by saying that, I'm not sure about > >> that but will probably be

GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

2016-08-25 Thread JSoet
Hi, I'm implementing SPNEGO & Kerberos authentication in our application's webserver code and have it working fine when the KDC is Active Directory. I'm now testing it with an MIT KDC instance and when I attempt to authenticate a user who has a ticket from that KDC I get a GSS_S_CONTINUE_NEEDED

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Simo Sorce
On Thu, 2016-08-25 at 20:38 +0200, Rick van Rein wrote: > Hi Simo, > > >> Careful though -- constrained delegation as done by Microsoft's > >> S4U2Self / S4U2Proxy can only be used within one realm -- because the > >> server is supposed to confine itself to the limitations setup (but not > >>

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Simo Sorce
On Thu, 2016-08-25 at 13:26 -0400, Michael B Allen wrote: > On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce wrote: > > On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote: > >> But, again, the point is that the client would not be "joined" to a > >> domain, it would not be

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Michael B Allen
On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce wrote: > On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote: >> But, again, the point is that the client would not be "joined" to a >> domain, it would not be required to have network access to a KDC, time >> on the client would

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Simo Sorce
On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote: > But, again, the point is that the client would not be "joined" to a > domain, it would not be required to have network access to a KDC, time > on the client would not matter, the user would not necessarily have to > run the client

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

2016-08-25 Thread Simo Sorce
On Thu, 2016-08-25 at 01:09 +0200, Rick van Rein wrote: > Hey, > > >> To be clear, the whole point of what I'm proposing is that the > client > >> would have ZERO dependencies. Being able to do proper auth and then > >> get a TLS session that uses the crypto context established during > auth > >>

Searching a debugging tool for kerberos inside Windows 10 Desktop

2016-08-25 Thread Pablo Silva
Hi! Dear Colleagues, I'm taking my first steps in using kerberos, our goal is to authenticate users who wish to use their Windows desktops via FreeIPA. The issue is that we have done both FreeIPA configuration as in the windows client, but every time I try to use my credentials