Storing Kerberos authentication for later impersonation

Question

Is it possible to store a Kerberos ticket to later use it to impersonate the user?

I have the scenario where a user directly invokes an external system to process some data. The external system relies on the user being impersonated/authenticated correctly in the AD.

Now the calling system has to change so that a queue sits between the user and the external system and work from the queue is handed over to the external system from that queue by a Windows service. This service needs to impersonate the user in order for the external system to correctly handle user-rights.

Given that I can't change the external system and can not store the username and password in the queue, can I save a Kerberos ticket when the user adds new work items to the queue and later impersonate the user by the service when it hands over the data to the external system. How would I do that in C#?

Answer 1

• Edit: This is the closest I can get to your actual question: Can you start a separate thread under impersonation, make the request from there, however long it takes? Under the covers this will do what is needed (unless the service process is terminated of course).

As a microsoft guy once told us "security is the thing which stops your application working when you deploy it". (His point was to test with a realistic security setup).

The ticket may have a lifetime of 10 hours but that is the time from when it was issued. It may only have a fraction of that left by the time the user makes the request.

I suggest you simply solve the underlying problem in a different way.

What is the reason why you now need to queue? Simply because the external service is choked at peak times?

• Can you beef up or scale out the hardware? Usually the cheapest way.
• Do you actually have completely separate permissions or do the users slot into a finite number of roles? If roles you could record the role the user was in, and use specially created usernames to access the external service, one for each role.
• Is the external service yours? Can you add a "pretend to be Bob" option that doesn't rely on Windows Impersonation?
• Can you start a separate thread under impersonation, make the request from there, however long it takes? Then mail it back to the user? (yes this will under the covers be doing what you ask)
• Finally you could place the user in a browser "ration queue". I.e. issue them with a number, then have the browser refresh every 10 seconds (or use Ajax) to tell them how many people ahead of them in the queue. When it is their turn, make the actual request under impersonation. (This requires them to keep the browser window open while waiting in the queue, and also requires you to keep track of outstanding requests and active browsers vs. gone-away browsers). Nasty, but will work.

Without knowing the actual problem, it is hard to advise, other than to say don't do it this way - too many gotchas.