Re: Kerberos Delegation thru Windows' ISAPI?
- From: vadim.tarassov@xxxxxxxxxxxxxx (vadim)
- Date: Fri, 8 Sep 2006 11:33:31 +0200
Hi Michael,
If I understood you correctly your goal is to trigger from MS IIS something
written in java using kerberos authentication. I would suggest you to put
together a servlet in tomcat and make IIS to authenticate itself against this
servlet using SPNEGO.
Most probably you will have to develop SPNEGO authenticator in Tomcat
yourself. I was looking for this thing a while ago in inet, and could not
find anything meaningfull, and therefore I have developed something similar
myself.
What you will have to do in such case, is to extract GSSAPIv2 tokens from
SPNEGO tokens which you will receive from IIS, or otherwise build SPNEGO
tokens from GSSAPIv2 tokens provided by sun GSSAPIv2 implementation. That's
you will need an API to parse DER encoded ASN.1 structures, or otherwise
encode ASN.1 structures.
Even for this you will have troubles to find meaningfull API unless you can
use IAIK. If you have to stay "opensource" you may probably want to try
www.bouncycastle.org, they claim to have library to work with ASN.1
structures.
Best regards, vadim tarassov
On Friday 08 September 2006 00:20, Michael B Allen wrote:
I have a Kerberos delegation issue caused by the separation of IIS worker________________________________________________
processes and the Tomcat web server process on Windows.
Specifically, I have a customer running Tomcat through ISAPI
on Windows with ISS using Integrated Windows Authentication
(Kerberos). Authentication is working. The getRemoteUser method returns
the user's expected identity. Delegation is working. An ASP can use
the clients credentials to request another protected page on a second
IIS server. Note, impersonation is not used in any way shape or form
(nor would it work).
I put together a Kerberos capable HTTP client and tried to invoke it
through the IIS authenticated Servlet. This does not work. The JGSS
routines cannot find the delegated ticket (TGT).
Can anyone guess as to why this is?
My thinking is that even though the Tomcat process and IIS workers are
running under the same service account Tomcat servlets do not have
access to the IIS worker's credential cache because the credential
cache is per-logon session and IIS creates a new logon session with each
authentication. Does this sound right? I can't find any documentation
about this scenario.
My next thought was to export the security context but someone just
posted a message that indicated Sun's Java doesn't support exporting
the credential. If that's true I guess I'm toast?
It would be a nice feature if Tomcat's ISAPI dll used
LsaGetLogonSessionData and similar in the IIS worker to get any TGT
present and ship it over to the Tomcat worker so Java can get to it. A
lot of shops are MS SSO only and don't want a separate container for Java.
Mike
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- Follow-Ups:
- Re: Kerberos Delegation thru Windows' ISAPI?
- From: Michael B Allen
- Re: Kerberos Delegation thru Windows' ISAPI?
- References:
- Kerberos Delegation thru Windows' ISAPI?
- From: Michael B Allen
- Kerberos Delegation thru Windows' ISAPI?
- Prev by Date: AW: Kerberos fails to unwrap a jgss token - BUG-ID: 4868429
- Next by Date: AW: Accepting secure context on Server without KDC-Login
- Previous by thread: Kerberos Delegation thru Windows' ISAPI?
- Next by thread: Re: Kerberos Delegation thru Windows' ISAPI?
- Index(es):
Relevant Pages
|
Loading
