I'm using IIS server as the KDC and have configured it to provide kerberos authentication. I have a sample c# client as below.
public static void Main(string[] args)
{
AuthenticationManager.Unregister("Basic");
AuthenticationManager.Unregister("NTLM");
AuthenticationManager.Unregister("Digest");
loadURL("http://localhost");
Console.ReadLine();
}
private static void loadURL(String url)
{
try
{
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Credentials = CredentialCache.DefaultCredentials;
req.Proxy = null;
HttpWebResponse result = (HttpWebResponse)req.GetResponse();
Console.WriteLine("Authentication Succeeded:");
Stream stream = result.GetResponseStream();
showContent(stream);
}
catch (WebException e)
{
if (e.Status == WebExceptionStatus.ProtocolError)
{
HttpWebResponse hresp = (HttpWebResponse)e.Response;
Console.WriteLine("\nAuthentication Failed, " + hresp.StatusCode);
Console.WriteLine("Status Code: " + (int)hresp.StatusCode);
Console.WriteLine("Status Description: " + hresp.StatusDescription);
return;
}
Console.WriteLine("Caught Exception: " + e.Message);
Console.WriteLine("Stack: " + e.StackTrace);
}
}
According to the concept of kerberos what should happen is : 1. Client request a ticket from KDC 2. KDC responds with the ticket after authentication 3. Client uses this ticket and send a request to resource server 4. Resource server sends a response.
But by using above code I did not need to obtain a TGT. I sent my credentials with the resource url and I got the requested results. If I turn off the kerberos in Windows authentication this I got 401 so I have a proof that this is authenticated by kerberos. What did I miss here?
