Sorin Manolache
2016-03-16 09:33:53 UTC
Hello,
My apologies if it is not the right mailing list for asking this question.
I have a system consisting of an Authentication Server, a Backend and a
Client.
The Client first invokes the Authentication Server.
The Authentication Server executes
gss_acquire_cred()
gss_init_sec_context()
As a result, it obtains a kerberos service ticket that it sends to the
Client.
Next, the Client invokes the Backend and passes the obtained service ticket.
The Backend executes
gss_accept_sec_context().
The Client<->Authentication Server and Client<->Backend are HTTP. The
Client is oblivious to the fact that the data item it receives/sends is
a kerberos service ticket. For it it's just opaque data, so the Client
uses no GSS/Kerberos stack.
Assuming that the service ticket expires in N seconds, may the Client
perform several requests to the Backend using the same service ticket
(that is without making new requests to the Authentication Server)
during the N seconds until the ticket expiration?
I'm asking the question because I have two backends with two GSS stacks.
The backend with the binary GSS stack of MIT accepts the ticket several
times with no error. The second backend uses a Java GSS stack. It
accepts the ticket once but if I attempt a second request with the same
ticket then I get an exception indicating that I'm trying to replay the
ticket which it does not accept. Apparently the Java stack "remembers"
the ticket and rejects requests if it finds the ticket in its cache.
Which implementation obeys the standard? The Java one or the MIT GSS
stack? Are both approaches correct and is it just a matter of
configuring the two stacks?
Thank you in advance,
Sorin
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
My apologies if it is not the right mailing list for asking this question.
I have a system consisting of an Authentication Server, a Backend and a
Client.
The Client first invokes the Authentication Server.
The Authentication Server executes
gss_acquire_cred()
gss_init_sec_context()
As a result, it obtains a kerberos service ticket that it sends to the
Client.
Next, the Client invokes the Backend and passes the obtained service ticket.
The Backend executes
gss_accept_sec_context().
The Client<->Authentication Server and Client<->Backend are HTTP. The
Client is oblivious to the fact that the data item it receives/sends is
a kerberos service ticket. For it it's just opaque data, so the Client
uses no GSS/Kerberos stack.
Assuming that the service ticket expires in N seconds, may the Client
perform several requests to the Backend using the same service ticket
(that is without making new requests to the Authentication Server)
during the N seconds until the ticket expiration?
I'm asking the question because I have two backends with two GSS stacks.
The backend with the binary GSS stack of MIT accepts the ticket several
times with no error. The second backend uses a Java GSS stack. It
accepts the ticket once but if I attempt a second request with the same
ticket then I get an exception indicating that I'm trying to replay the
ticket which it does not accept. Apparently the Java stack "remembers"
the ticket and rejects requests if it finds the ticket in its cache.
Which implementation obeys the standard? The Java one or the MIT GSS
stack? Are both approaches correct and is it just a matter of
configuring the two stacks?
Thank you in advance,
Sorin
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev