Menu
I am trying to extract group membership information from a Kerberos ticket generated on windows2008r2.
In an URL, I found the following statement: Kerberos is also looking into mechanisms to include group membership information in Kerberos authorization data. Although it would be favourable to include group names into ACLs, GSS-API currently does not have a mechanism to support this.
It seems Microsoft has extended Kerberos to include group membership based on this URL: http://msdn.microsoft.com/en-us/library/ms817918.aspx: The Kerberos Authentication Group Membership Extensions extend the Kerberos Authentication Network Service (version 5) specification to support interactive logon authentication and group membership information for the Microsoft Windows operating system. Extensions include the Privilege Access Certificate (PAC) structure, located in the authorization data field of the Kerberos v5 ticket.
That URL references a field (Authorization Data) in the ticket that I cannot determine how to access using this API: http://docs.oracle.com/javase/6/docs/api/org/ietf/jgss/GSSContext.html
Does anyone know how to get access to that field? Or perhaps guidance on how to extract the group information from a Kerberos Ticket Generated on Windows2008r2.
I am writing in Java, but would also be willing to write in C. The logic to extract the group information from the ticket is running on UNIX despite using windows as the kerberos server.
Thank you for any help you can give me!
986
To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.
Among other information, the ticket contains the random session key that will be used for authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid.
purge - Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you'll have to log off and log on again.
There is no native support in Java reading the PAC fields. The JaasLounge project claims to have a working PAC decoder. If you want to use C, Heimdal has PAC support. I do not know to what extent that works. Good luck!
Another way would be: if you have some spare time, grab Microsoft's documentation and read the bytes yourself from the Kerberos ticket and create a open source project from it :-D
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
