NTLM Authentication & User impersonation:
We have the Java web application with Waffle-Spring Security-Windows SSO. Authentication is working fine. We want to run a batch script, consisting of SSH/SCP steps in the user context. This also works fine by using SSH Public/Private keys. But we feel is key authentication is not efficient as every user has to create key pairs and register in respective systems. Since GSSAPI doesn't require a key/password, we prefer to use it.
Kerberos Authentication & User Delegation
As the waffle-spring-security4 library supports only NTLM authentication, we don't think it will create a Kerberos ticket. The ticket is needed for SSH GSSAPI-based authentication.
We have the following questions, Any pointers/suggestions would be greatly helpful
Does NTLM also checks KDC and generates Kerberos Ticket
Can we achieve GSSAPI SSH authentication by using Waffle Authentication as mentioned above
As we are in corporate AD, we haven't done any Kerberos Setup. If we check with kinit, klist, we could see the respective tickets
Is there any other way to use SSH GSSAPI without Kerberos tickets? i.e., NTLM authentication tokens
Is it required to enable, the Administrative tool -> Local Service policy -> User management -> Enable computer and user account to be trusted for delegation?
Is it required to enable GSSAPIDelegateCredentials yes in the sshd_config file. If we add this config, the openSSH server fails to start
Note: Currently, GSSAPI-based SSH is working with Waffle SSO impersonation & CreateProcessAsUser API only for my user account. Since the Java application is deployed under my user account in the Test server. This seems to be working. But it fails for all other users.
