2

I want to generate a Kerberos ticket using .NET with auth credentials supplied through a login form on a web page (this will authenticate user against in a sql db) and then use this ticket to authenticate the user as a single sign on across several other web apps.

Is this possible? I have had a look at WSE and it seems to assume you already have a granted kerberos ticket to use before using it to authenticate.

We have a MIT kerberos server to issue tickets.

Sheff
  • 3,474
  • 3
  • 33
  • 35

1 Answers1

2

It turns out you cannot generate a kerberos ticket using a web app as that would require your web server gaining access to the clients local file system to issue the token.

You can only simply request existing token from a client that has had one issued from a krb server though an application running on the client (or logging onto a windows domain).

We ended up writing a custom token service using a webservice

Sheff
  • 3,474
  • 3
  • 33
  • 35
  • 1
    What API calls did you use to request the existing token from the client? – Abhijeet Patel May 02 '11 at 18:24
  • We wrote a custom web service in the end using WSE 3.0 to secure it via a certificate and had a custom token. With regards to KRB token retrieval I cant remember but ill dig around – Sheff May 04 '11 at 14:05
  • I used WSE too(in an asp.net app) with impersonation turned on, but noticed that the ticket is generated only if I hit the web app locally.If I hit it from a different machine in the same intranet using my credentials it fails with a security exception. – Abhijeet Patel May 18 '11 at 04:04
  • @Abhijeet Patel Did you figure this out? We have the same issue as you located here: http://stackoverflow.com/questions/7289372/sap-iis-and-sso-kerberos-sspi-not-usable-with-this-user-account – Nate Sep 06 '11 at 17:07