Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kerberos delegation between different services

Tags:

authentication

webserver

apache

httpd.conf

kerberos

We have the following setup with httpd webservers as shown below:

enter image description here

Heres the scenario: Server A takes the request from Browser does some operations and creates a new request and sends it to Server B. User X is authenticated on Server B, but User Y is not (and it is not supposed to). Since A is creating a new request, B is thinking that Y has sent the request and so denying it. Removing Server A is not an option. How do I solve this. Can you please help?

like image 607
sunil_mlec Avatar asked Sep 03 '15 10:09

sunil_mlec

1 Answers

This can be solved by delegation: server A should authenticate itself as user X while making request to server B.

Delegation:

  • server A receives request from browser, containing TGS ticket.
  • server A has correct username/password combination (as stored in Kerberos database in user representing service), so it can open the ticket and authenticate this user
  • server A makes request to KDC for a delegated ticket, with ticket received from user attached.
  • KDC (for example AD) checks if delegation is possible (in Active Directory user representing server A must be granted right to delegate. This tab becomes visible after you use command ktpass on ADC to generate keytab file. AD also checks if user account permits delegation of its ticket - it's enabled by default, can be disabled for some special, sensitive users)
  • KDC gives server A a delegated Kerberos ticket. Server A uses it to log in to server B.
  • server B receives request from server A with delegated ticket which says that it's the user X who logs in.

Kerberos delegation is sometimes called "a double hop": http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

Active Directory administrators might not like the idea of giving service A right to delegate tickets (i.e. logging in to any other service in domain as user X). That's why a "constrained delegation" was introduced few years ago. It enables AD administrators to let service A log in as user X only to server B. They can set that on activeDirectory account representing service A.

http://windowsitpro.com/security/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1

like image 188
greenmarker Avatar answered Oct 16 '22 03:10

greenmarker
Sign in to Comment

Related questions

Apache HTTP client, request from specific network interface
How to disable mod_security and mod_security2 in .htaccess
Php - get path after php script
Can someone prompt me in the right direction to use mod_rewrite?
htaccess redirect URI to parent directory
Can Cesium map run on Apache HTTP server instead of node.js environment?
Laravel routes not working except for root
Why am I getting exception "IOException: ZIP entry size is too large" when trying to open an Excel file using Apache POI?
Configure URLs with prefix in Mojolicious behind Reverse Proxy (ProxyPass)
Reverse Proxy with Apache on Centos 6
SOLR search filter by relevancy score
How build hadoop sources under windows?
Minimal configuration for Apache reverse proxy in Docker container
Mime4j: DefaultMessageBuilder fails to parse mbox content
Apache HTTP Server vs Oracle HTTP Server
How to make Apache check if PHP file exists before passing it to PHP-FPM?
java.lang.IllegalArgumentException: Host name may not be null, while firing a get request
Executing Specific JMeter Thread Groups in a Test Plan
Why can't I use an apache httpcomponents object in spring-boot, even though it is listed in the MVN dependancies?
How do I set my RAILS_ENV with Passenger and Apache?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!