On Thu, 25 Aug 2016, Rick van Rein wrote:
> >>> Forwarding a TGT is bad because it is unbounded impersonation.
> >> Only when the corresponding key is supplied alongside! [I hope I'm
> >> not taking anything out of context by saying that, I'm not sure about
> >> that but will probably be
Hi, I'm implementing SPNEGO & Kerberos authentication in our application's
webserver code and have it working fine when the KDC is Active Directory.
I'm now testing it with an MIT KDC instance and when I attempt to
authenticate a user who has a ticket from that KDC I get a
GSS_S_CONTINUE_NEEDED
On Thu, 2016-08-25 at 20:38 +0200, Rick van Rein wrote:
> Hi Simo,
>
> >> Careful though -- constrained delegation as done by Microsoft's
> >> S4U2Self / S4U2Proxy can only be used within one realm -- because the
> >> server is supposed to confine itself to the limitations setup (but not
> >>
On Thu, 2016-08-25 at 13:26 -0400, Michael B Allen wrote:
> On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce wrote:
> > On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote:
> >> But, again, the point is that the client would not be "joined" to a
> >> domain, it would not be
On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce wrote:
> On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote:
>> But, again, the point is that the client would not be "joined" to a
>> domain, it would not be required to have network access to a KDC, time
>> on the client would
On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote:
> But, again, the point is that the client would not be "joined" to a
> domain, it would not be required to have network access to a KDC, time
> on the client would not matter, the user would not necessarily have to
> run the client
On Thu, 2016-08-25 at 01:09 +0200, Rick van Rein wrote:
> Hey,
>
> >> To be clear, the whole point of what I'm proposing is that the
> client
> >> would have ZERO dependencies. Being able to do proper auth and then
> >> get a TLS session that uses the crypto context established during
> auth
> >>
Hi! Dear Colleagues,
I'm taking my first steps in using kerberos, our goal is to
authenticate users who wish to use their Windows desktops via FreeIPA.
The issue is that we have done both FreeIPA configuration as in the
windows client, but every time I try to use my credentials