About Kerberos user delegation based on client SSL certificate
I am developing a HTTP proxy which wants to make Kerberos user delegation
based on client SSL certificate.
In our case, what the proxy can get from the clients are their public
certificates. Our KDC is on Windows Server 2008. On the server, these
client certificates are mapping to corresponding user accounts on AD. And
we created a user account for the proxy which has Kerberos delegation
privilege. To make HTTP user Kerberos delegation, the proxy needs to obtain
service ticket on the behalf of the client with the client's public
certificate(here we don't have client private key).
My question: does the latest krb5 library support this requirement - making
Kerberos user delegation based on client certificate? If supported, are
there any documents or code example? I am a newbie for Kerberos. Any help
will be much appreciated!
BTW, I checked the source code of krb5-1.12.1 and found a relevant function
listed as below. The function has a "subject_cert" argument. I don't know
if we should use the function. I also searched the function on Internet.
Unfortunately, there are very few information about it.
Re: About Kerberos user delegation based on client SSL certificate
On 08/27/2014 11:27 PM, 猛牛 wrote:
> My question: does the latest krb5 library support this requirement - making
> Kerberos user delegation based on client certificate?
MIT krb5 has supported S4U2Self (aka protocol transition) and S4U2Proxy
(aka constrained delegation) since release 1.8. Unfortunately, it is
not yet documented as well as it should be. For now, the project page
at http://k5wiki.kerberos.org/wiki/Projects/Services4User is the only
At this time we don't have public APIs for presenting the user's
certificate during S4U2Self. The KDC would only use the certificate to
identify the user, not as an authentication credential, so if you
already have a way to pick a username based on the certificate, this
shouldn't be a problem.
The public interface for S4U2Self is gss_acquire_cred_impersonate_name.
(The krb5_get_credentials_for_user function you found earlier is a
badly-named internal interface.) You can find an example program using
gss_acquire_cred_impersonate_name in src/tests/gssapi/t_s4u.c in our
Once you have performed S4U2Self using
gss_acquire_cred_impersonate_name, you can perform S4U2Proxy and
authentication to the target service simply by calling
gss_init_sec_context with the credentials you acquired.
krbdev mailing list [hidden email] https://mailman.mit.edu/mailman/listinfo/krbdev