2

My client application/browser authenticates against my server using Kerberos. The server runs Apache/Tomcat, and it talks to my service which runs on the server. My service can distribute work to another service on a different machine, so we will need to set up constrained delegation. My service on the server (on the server machine or the other machine) needs to talk to a SQL Server database using ODBC. I want to impersonate the end user (in AD). From reading online, to impersonate the end user, it seems like all I need to do is to make the SQLDriverConnect call to the ODBC driver on a thread which impersonates the end user.

If the user is already authenticated and I can get some token (TGT?) in my service, what API would I need to call in my service thread to impersonate the end user? I see ImpersonateLoggedOnUser and ImpersonateSecurityContext as likely options, but I don't really know which ones applies in my case and what specifically ticket/token I need here.

Also, I see that SetThreadToken can be an option too when the user is already authenticated. Is it?

My service is in C++ and the environment is Windows (7 or Server).

user2237963
  • 103
  • 7

1 Answers1

0

Without verifying this flow, you should try the following:

Prerequisite: If you want to resort to constrained delegation, you will need Java 8. No other options. Unconstrained works from Java 6.

Client SPNEGO/Kerberos => Tomcat/Server 1 (extract delegated credential with JGSS) => Tomcat/Server 1 obtain service ticket for next layer with delegated credential => C++ backed Server 1 (extract delegated credential with SSPI) => impersonate, etc.

Please note that you cannot call ODBC from Java but only from C/C++ so if you want to remain both on the same machine, get your service ticket for host/ and proceed with C++ and ODBC.

Michael-O
  • 18,123
  • 6
  • 55
  • 121