Stack Overflow
Stack Overflow

Questions tagged [kerberos-delegation]

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server. A common example is a web server passing the credentials of the client user to a database server behind it. Without Kerberos delegation in place, the client user credentials cannot be passed to the database server.

126 questions
2
votes
1 answer

Programmatic Impersonation Delegation For Remote Resources (Double-Hop)

I am having a hard time to get Runtime Impersonation to work. Scenario: Anonymous access is disabled in all servers, and windows auth is enabled Client calls Web Api 1 Web Api 1 may call Web Api 2, or the oData Service Call from Web Api 1 to Web…
Zuhaib
  • 1,420
  • 3
  • 18
  • 34
2
votes
0 answers

ImpersonationLevel is still Impersonation instead of Delegation even with SPNs and allowing delegation on the machine

ImpersonationLevel on my WindowsIdentity is still Impersonation instead of Delegation even with SPNs and permitting Kerberos delegation on the machine. I have the exact same setup in development, where I also double hop to the development…
Matt
  • 25,943
  • 66
  • 198
  • 303
2
votes
1 answer

Can the forwarded Kerberos ticket be renewed?

Suppose we have the following situation: we have a machine, which acquired its ticket, then this ticket has been forwarded to another machine. Can that other machine renew the received ticket? Other question - if the machine which acquired the…
Jacek L.
  • 1,376
  • 14
  • 19
2
votes
1 answer

Making an ODBC connection when impersonating an user using Kerberos authentication

My client application/browser authenticates against my server using Kerberos. The server runs Apache/Tomcat, and it talks to my service which runs on the server. My service can distribute work to another service on a different machine, so we will…
user2237963
  • 103
  • 7
1
vote
0 answers

java.net.PortUnreachableException: ICMP Port Unreachable - Kerberos error

I am trying to run a kafka cluster with Kerberos auth enabled. kafka broker, zookeeper & kdc (kerberos) servers are started as containers inside a docker network. Kafka broker port 9092 has been mapped to host machine so able to call broker from…
MHegde
  • 329
  • 3
  • 14
1
vote
0 answers

Kerberos is not set up . You cannot login - Keycloak

I had configured the keycloak under the user federation settings as kerberos. I had also entered the realm ,service principal and the keytab file directory as stated . But I get the issue as : Kerberos is not set up . You cannot login In firefox I…
Kaustubh B.
  • 11
  • 1
1
vote
0 answers

Kerberos Spark (2.4.6) Jobs are getting Stuck not terminating on its own

I'm Using Spark 2.4.6 in Kerberized environment. I'm Submit a spark batch job via shell script, where i'm passing principal and wrong keytab file, not performing Kinit operation. Though my spark job runs for 24 hours and keeps on running. I'm…
Deepak
  • 191
  • 1
  • 9
1
vote
3 answers

Confusion about Java App auth in AD based on Kerberos MSLSA ticket cache

The task is to get myapp to auth in AD using Kerberos ticket cache from MSLSA with no password prompting and without keytab. Right now I'm able to get TGT cache — which is FORWARDABLE and PROXIABLE — but I'm getting this exception in…
showgazer
  • 91
  • 1
  • 1
  • 5
1
vote
1 answer

Kerberos double-hop issue

So, for the past week I was trying to do something with this kerberos issue. Long story short, we have a server and it identifies incoming user do to some work. Recently, we needed to upload some of the results, so user is now delegated so it can…
deryaza
  • 11
  • 3
1
vote
0 answers

Unexpected 401 error when connecting to a web service (possible kerberos \ double hop error related)

We have a client that connects to a web service (service1.svc) with the URL https:\destination.domain\Service1.svc. This web service connects to a second web service (service2.asmx) with the URL https:\localhost.domain\service2.asmx. Both service…
AndyS
  • 11
  • 1
1
vote
1 answer

Issue with MSAL 4.16.0 when using Integrated Windows Authentication

I am writing a dotnet core console app that makes use of MSAL library to generate access token. I am making use of Integrated Windows Authentication as all the constraints that are mentioned in this link are satisfied by the organization I am in.…
hitesh
  • 55
  • 1
  • 8
1
vote
1 answer

Kerberos: Spark UGI credentials are not getting passed down to Hive

I'm using Spark-2.4, I have a Kerberos enabled cluster where I'm trying to run a query via the spark-sql shell. The simplified setup basically looks like this: spark-sql shell running on one host in a Yarn cluster -> external hive-metastore running…
sbrk
  • 1,338
  • 1
  • 17
  • 25
1
vote
1 answer

Kerberos Impersonation level 'impersonation' instead of 'delegation'

Situation I have a .NET Core CLI 2.2. or 3.0 preview5 client, that sends a REST request to an server, secured with Kerberos. The impersonation level should be "delegation", but only "impersonation" is achieved. Problem I cannot achieve delegation…
user3752647
  • 11
  • 3
1
vote
0 answers

What is the Purpose of "isInitiator" flag in Krb5LoginModule?

I am working on Kerberos delegation, where I wish to impersonate the user based on incoming ticket, and make the connection to third party system. My observation is, context.getCredDelegState() returns true only when isInitiator flag from the…
Bhushan Karmarkar
  • 625
  • 7
  • 22
1
vote
0 answers

Can .NET client library be configured to use CNAME for Kerberos authentication?

Windows clients, in this case browsers, are configured to ignore DNS CNAME records when building Kerberos ticket requests to send to a KDC. If you have a CNAME it will also resolve the A records the CNAME is pointing at and use the A record's FQDN…
Morgan Simonsen
  • 53
  • 6
1 2
3
8 9