Stack Overflow
Stack Overflow

Questions tagged [kerberos-delegation]

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server. A common example is a web server passing the credentials of the client user to a database server behind it. Without Kerberos delegation in place, the client user credentials cannot be passed to the database server.

126 questions
0
votes
0 answers

Kerberos Delegation problems when sites are on the same machine

I have one server that hosts two sites, one is a webapi site and another is wcf site like below, the identity is the wcf site, the sql is the webapi site: IIS Sites Settings And I set accounts for both of them as their App pool identity identity…
KAMyAw
  • 21
  • 3
0
votes
0 answers

In Apache Spark 2.4. How to force the driver logger to use the latest renewed kerberos delegation token to write to HDFS, instead of an outdated one?

One of our Spark application frequently ran into kerberos authentication error on a Hadoop cluster. Initially we believed it to be caused by a misconfigured delegation token renewal policy. But later we found the following message in the Spark…
tribbloid
  • 4,026
  • 14
  • 64
  • 103
0
votes
1 answer

Relation between "Impersonate a client after authentication" right and Kerberos's "trusted for delegation" right

Do we also need to assign "Impersonate a client after authentication" right to the service account performing the Kerberos delegation in addition to the "Act as part of the operating system" right? How each of these rights fits together?
jittrfunc
  • 103
  • 6
0
votes
0 answers

Getting "Delegation Token can be issued only with kerberos or web authentication" executing Hive query in shell script

I am trying to connect Hive and execute query in shell script triggered by oozie, the server is kerberos enabled. I am passing hive credentials in workflow but I am still getting the error output whenever hive script is getting executed, Error…
Mohammad Rijwan
  • 335
  • 3
  • 17
0
votes
0 answers

IIS conditional skip builtin windows auth

Issue We are trying to retrofit a legacy application (TFS) with 2FA auth. It's a lot to explain in detail but the setup is the following: Host A Host B End user - https -> IIS Proxy - https…
davidgiga1993
  • 2,695
  • 18
  • 30
0
votes
1 answer

Kerberos authentication: how to use case-insensitive usernames?

I am new to Kerberos. We are creating a web application that uses Kerberos authentication with Microsoft AD as the KDC. The web app runs on Linux CentOS and acts on behalf of the user (constrained delegation) to: make http requests to a REST…
Albert-Jan Roskam
  • 21
  • 3
0
votes
1 answer

How can I get Kerberos SSO for spring to work behind a load balancer across multiple domains?

We have an application which is SSO enabled and run into the below url https://abcd.test.com, now we have created a new application which is spring kerberos enabled(with keytab file) and has a different url (https://xyz.test.com). Now We will put a…
Subhajit Pal
  • 565
  • 1
  • 8
  • 19
0
votes
1 answer

Kerberos Delegation and Authentication: Impact due to Domain change

[I'm fairly new to Kerberos Protocol] We have a customer, who back in 2020 was using a domain let's call it customdom.itm, which has a user account krb-test-cd setup for Kerberos delegation and this domain is part of a domain Active Directory forest…
user136819
  • 205
  • 7
  • 21
0
votes
0 answers

How to implement a custom delegation token

I have the following scenario: I have an HTTP service where I have a logged in user with a keytab and a kerberos principal - let's name this user for the sake of the example service_user Then I have a client which invokes this service and…
dfritsi
  • 1,224
  • 3
  • 14
  • 24
0
votes
1 answer

Kerberos challenge for every request

I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site. Only windows authentication is enabled. What I observed is I get 401 followed by 200 for every request. And…
Falcon Francis
  • 3
  • 4
0
votes
0 answers

Kerberos How To Delegate On Behalf Of Users AND Access Resources Independent Of Users

I have a webapp running on Linux that uses Delegation to effectively mirror the permissions of the User that makes requests. The webapp uses a keytab that looks something like this: KVNO Timestamp Principal ---- -----------------…
Howard_Roark
  • 4,088
  • 1
  • 14
  • 24
0
votes
0 answers

Impersonation and potential Kerberos Double-Hop in Dotnet Core API

I'm trying to get an API to pass client credentials through to the database (on a different server) but experiencing something that smells very much like a Kerberos double-hop issue to me, however the systems people say that Kerberos delegation is…
Dan Narsavage
  • 325
  • 3
  • 13
0
votes
1 answer

How to do LDAP Query through Kerberos Delegation

Customer has both internal domain and DMZ domain. There is no trust between both domains at this point. We have web application which is deployed at DMZ zone since the application has some interaction with external users as well. Internal users…
windfly2006
  • 1,703
  • 3
  • 25
  • 48
0
votes
1 answer

Problem on configure delegation in cross domain AD account

In our test environment there are 2 domains. One-way trust is setup and then we changed to two-way still not work. I want to setup delegation on domainA/userA. In Delegationtab, I choose Trust this user for delegation to specificed services only.…
Mark
  • 283
  • 3
  • 22
0
votes
1 answer

IdentityServer ClaimsIdentity to Impersonated WindowsIdentity

I've got an IdentityServer setup to connect to an external ADFS server. I'm able to login and obtain an access token via OAuth2 / OpenId Connect. An AspNet.Core WebApi runs within an IIS AppPool with a user that has Kerberos delegation enabled…
rdvanbuuren
  • 596
  • 6
  • 13
1 2 3
8 9