I'm currently learning about Kerberos and I was wondering - is there a way for me to access the Ticket Granting Ticket I received from the KDC?
Asked
Active
Viewed 217 times
0
-
Check kerberos constrained delegation for more. With correct settings (and if IT admins allow it) you can get the TGT of the user. Check out- https://stackoverflow.com/questions/39743700/java-spnego-authentication-kerberos-constrained-delegation-kcd-to-backend-se/57377671#57377671 – Bhushan Karmarkar Jun 28 '21 at 10:27
1 Answers
0
As a rule: no. The TGT is highly sensitive and many platforms try and go out of their way to prevent you from touching the TGT directly. In some libraries you can query it out of the ticket cache.
That said, you haven't specified which platform or library or anything that would allow anyone to give you a more definitive answer.
The secondary answer is: just invoke the AS leg of the protocol and you'll have the TGT.
In most platforms there are tools out there that let you query the TGT to see the metadata of the ticket, such as klist on Windows.
Steve
- 4,463
- 1
- 19
- 24
-
Hi @Steve, basically I'm trying to debug why I'm not managing to authenticate to a REST API using Python's `requests-kerberos` package, so I'm trying to understand the individual components of this system to try to figure out where the problem is. My intent is that I could authenticate to the REST API using the logged-on user in a Windows domain – YoavKlein Jun 23 '21 at 15:31
-
That's an entirely different problem. Windows doesn't let you touch the TGT for good reason. The way you interact with Kerberos on Windows is through the SSPI API. Python either wraps it or it doesn't. If it doesn't then you're left to do it yourself or you need to debug why it's not using the current user creds. – Steve Jun 23 '21 at 19:34