-1

I'm playing around with Kerberos SSO. As experimented so far,

  1. When I open a web app that is configured with Kerberos, from the browser, it prompts me for the username and credential, once I enter, I'm logged into the web app .

  2. When I do a kinit from the terminal and give my credentials, I'm signed into the KDC for the given user. After kinit, when I open a web app I'm signed into the web app, without any credentials.

One possible explanation is, when I do a kinit, the TGT is stored in the OS which is available for other clients in the host machine so that my browser was able to use that TGT without prompting me for password.

Now my questions are,

  • Will I be able to cache the TGT without using kinit?
  • If yes, how can I do it using a Java client?
  • If the answer for the first question is yes, will I be able to do it from my web app opened in the browser?
Kannan Ramamoorthy
  • 3,980
  • 9
  • 45
  • 63
  • _"After `kinit` ... I'm signed into the web app, **without any credentials**"_ >> **wrong** - the whole point of `kinit` is to manage the "ticket cache" for apps that don't manage their own private Kerberos creds. https://web.mit.edu/kerberos/krb5-1.15/doc/user/user_commands/kinit.html – Samson Scharfrichter Nov 18 '19 at 11:53
  • Java can create Kerberos creds on-the-fly, using proper JAAS config _(debugging is not easy for beginners though)_. Java can read from the Kerberos cache, at least for `FILE:` type (and also from the Windows-specific LSA cache, with proper JAAS and Windows settings). Java will **not** write in the Kerberos cache. – Samson Scharfrichter Nov 18 '19 at 11:57
  • @Samson how about a web app accessed from the browser? – Kannan Ramamoorthy Nov 18 '19 at 14:24
  • Depends on what you call a "web app". I know there are some JavaScript bindings to Kerberos, but probably with very little documentation. – Samson Scharfrichter Nov 18 '19 at 18:01
  • @Samson Even any simple page that is served through browser is what I call as web app. If you could point out to any link that would be great. As I explored there doesn't seem to be any. – Kannan Ramamoorthy Nov 18 '19 at 18:30
  • Google about **SPNego**. It's the standard challenge/response where the _browser_ manages Kerberos auth using whatever credentials it can find. On the other hand, if you run a rich client inside the browser, it may be able to manage the authentication directly in a custom way. – Samson Scharfrichter Nov 19 '19 at 17:32

1 Answers1

0

Whenever kinit is executed, a TGT is requested and stored in OS ticket cache. This TGT can be used to get TGS (service ticket) for multiple services.

If you haven't added your app url as a 'trusted intranet site' in browser, then browser will give you pop-up for the first time for every new session.
Browser accepts the credentials, gets the TGT from your KDC, and puts it in cache. Furthermore, using this TGT, it ask the KDC for the TGS to your app url (usually identified as "HTTP(S)/APP_SERVER_HOSTNAME").

You can verify this-

  • Perform klist purge to clean all the tickets from cache.
  • Open browser and hit your app url.
  • Provide credentials in pop-up and submit.
  • Execute klist- observe there are two tickets in cache.
  • One of the ticket is TGT, which spn like - krbtgt@XXX.domain.
  • The other is TGS for your service - usually "HTTP(S)/APP_SERVER_HOSTNAME".

    Please note:

  • TGT is created by default when you login to the OS. So you can see there's a TGT for your user in OS cache.
  • OS ticket cache behavior can be platform specific (not verified by me).
  • You can obtain TGT/TGS or even delegate the credentials using (java)code.
  • Cache mentioned in your KRB conf is not necessarily the OS ticket cache.

    For credential delegation, check out this - Java SPNEGO Authentication & Kerberos Constrained Delegation (KCD) to backend service

    • Bhushan Karmarkar
    • 625
    • 7
    • 22