[19842] in Kerberos_V5_Development
Re: TGS granting
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Wed Oct 31 12:01:23 2018
Date: Wed, 31 Oct 2018 11:00:37 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: moore moore <moore_chestnut@yahoo.ie>
Message-ID: <20181031160036.GM45914@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <2106125288.30014090.1540996599348@mail.yahoo.com>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Oct 31, 2018 at 02:36:39PM +0000, moore moore wrote:
> Hello,I hope I have the correct forum for some guidance.
> I have the following scenario:
> Clients(generally web based), linux proxy and windows server farm.The proxy is configured with a user that is configured for kerberos constrained delegation.A TGT is granted for this user with delegation enabled.
>
> TGS are also granted and everything works OK.
>
> However I have a resource utilization problem on the proxy where the windows servers are frequently requesting re authorization with 401 Negotiate.
>
> This causes and intermediate process on the proxy to contact the KDC for new TGS.
> Is there a way for the intermediate process to generate service tickets without having to go to the KDC? It already has the TGT.
> Or is a round trip to the KDC ( Windows AD) always required to get service tickets?
The TGT is used to authenticate to the TGS so that the TGS can issue
service tickets; the TGT alone is not enough to produce service tickets.
> Due to the connection behavior, there are very many TGS_REQs on the wire.
> Is there any way to optimize this behavior and avoid so much traffic back and forth to the KDC for TGS_REQ/TGS_RSP.
Are the 401 Negotiates doing credential delegation or just authentication?
For authentication the clients should be able to cache service tickets and
reuse them, without need for a TGS exchange for every HTTP authentication.
-Ben
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
