https://stackoverflow.com/questions/13806117
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianYes, that is possible. Microsoft has extended Kerberos for this. This is called Services for User (S4U). Your case is called S4U2Self (protocol transition). This will be avaible with Java 8. You can check the ticket and add that code to your Java endorsed classpath. You can read more in the MIT Kerberos wiki.
Generating AD Kerberos tickets without user password
-
06-12-2021 - |
Question
I am developing a Java EE server application that needs to generate a Kerberos ticket on behalf of a user.
The application I am developing will authenticate the user using alternate credentials (non Active Directory, say biometric), and then needs to somehow generate a Kerberos ticket showing the user is authenticated. I will then use the Kerberos ticket, to generate a SPNEGO token, and insert the token in the HTTP header so the user does not have to be re-authenticated on subsequent requests from the browser.
Is is possible to generate that Kerberos ticket on behalf of the user without the user's raw AD password ? (assume I have access to an AD Service Account login & password). If it is possible, how would I go about doing it? What kind of configuration, permissions are necessary?
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
