I am developing a cross-platform application which will connect to proxy server running on Windows server 2012. The credentials to access proxy server will be the system credentials so that user doesn't have to enter the credentials manually. I have both Windows and Linux machines connected to Windows server domain with DNS entry in WS 2k12. I am able to accomplish the aforementioned requirement on Windows using WinHTTP API (NTLM). On Linux, I am using cURL. I read about building cURL with gssapi and to have kerberos setup on Linux machine, but I think user will have to make major changes on his/her system for that, and I am not sure if some changes will be required on server side too. Is there any way to achieve this functionality so that user has to do minimal changes on his side when application is used on Linux machine?
1 Answers
The changes in the Linux environment amount to joining a Windows domain. Normally the machime should only need the right content in /etc/krb5.conf. It's a job for system administrators to provide it. Users will want this change if they want to use any Windows domain services anyway.
If you think changing /etc/krb5.conf is not a viable option in your environment, you can override this location in your application by setting KRB5_CONFIG environment variable and probide this file yourself. If you do that, you may want to also override other Kerberos locations like KRB5CCNAME in order to fully isolate the app from any system-wide Kerberos setup.
In order to log in and be able to use SSO, users have to use the kinit command. Your app can launch this command on user's behalf if you want.
- 112,515
- 14
- 128
- 243