Make Windows Firefox Use Ticket gained via OpenConnect VPN Connection

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Make Windows Firefox Use Ticket gained via OpenConnect VPN Connection

chiasa.men
I have an openconnect server where I can login with kerberos credentials (the
vpn server basically also works as proxy to the kdc within said vpn - more
detailed description: https://access.redhat.com/blogs/766093/posts/1976663)

Now I can connect with a windows machine (using openconnect-gui) with my
kerberos credentials. Which works.

The next step shall be to use the gained ticket further for webservices within
that vpn. How can I tell the browser (e.g. Firefox) to use the ticket gained
by openconnect? Is there any way to achieve this?

I also installed the MIT Kerberos Ticket Manager for Windows. Here (https://
community.hortonworks.com/content/kbentry/28537/user-authentication-from-
windows-workstation-to-hd.html) is desribed that it is possible to use that
Manager with firefox in order to authenticate to webservices. Although I
haven't been able to accomplish that, would it be possible to tell MIT
Kerberos Ticket Manager to use the Ticket of the vpn login?

Is there already a 'usual way' to achieve something like sso via vpn with
kerberos with windows clients?




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Make Windows Firefox Use Ticket gained via OpenConnect VPN Connection

Benjamin Kaduk-2
The description of current and desired behavior is a bit sparse, but it
seems like the key question is whether/where openconnect stores the
kerberos ticket obtained during VPN connection.  If it's stored someplace
accessible, the rest would just be a matter of getting the different tools
plumbed together properly.  But if the KfW ticket manager does not show any
credentials after the openconnect login, it may be that openconnect is not
storing the ticket anywhere, in which case a software change would be
needed to openconnect to get it to do so.

-Ben

On Sat, Oct 20, 2018 at 10:09:57PM +0200, chiasa.men wrote:

> I have an openconnect server where I can login with kerberos credentials (the
> vpn server basically also works as proxy to the kdc within said vpn - more
> detailed description: https://access.redhat.com/blogs/766093/posts/1976663)
>
> Now I can connect with a windows machine (using openconnect-gui) with my
> kerberos credentials. Which works.
>
> The next step shall be to use the gained ticket further for webservices within
> that vpn. How can I tell the browser (e.g. Firefox) to use the ticket gained
> by openconnect? Is there any way to achieve this?
>
> I also installed the MIT Kerberos Ticket Manager for Windows. Here (https://
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> windows-workstation-to-hd.html) is desribed that it is possible to use that
> Manager with firefox in order to authenticate to webservices. Although I
> haven't been able to accomplish that, would it be possible to tell MIT
> Kerberos Ticket Manager to use the Ticket of the vpn login?
>
> Is there already a 'usual way' to achieve something like sso via vpn with
> kerberos with windows clients?
>
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos