Verifying if the delegated kerberos credential is proper

StackOverflow https://stackoverflow.com/questions/17152322

  •  31-05-2022
  •  | 
  •  

Question

I am currently trying to enable a spnego based SSO Application. As part of this I seek to get the delegated credentials.

How to verify that the credential I get after GSSContext.acceptSecContext(gss, 0, gss.length); is a delegated credential or not. GSSContext.getCredDelegState() is true.

My primary doubt is whether the server principal in the ticket should be krbtgt/ABC.XYZ.COM@ABC.XYZ.COM or should be the service (HTTP/host.ABC.XYZ.com) for which the ticket was delegated?``

Delegated Credential is.....[GSSCredential: 
client@ABC.XYZ.COM 1.2.840.113554.1.2.2 Initiate [Ticket (hex) = 
0000: 61 81 F3 30 81 F0 A0 03   02 01 05 A1 0F 1B 0D 55  a..0...........A
0010: 53 2E 4F 52 41 43 4C 45   2E 43 4F 4D A2 22 30 20  BC.XYZ.COM."0 
0020: A0 03 02 01 00 A1 19 30   17 1B 06 6B 72 62 74 67  .......0...krbtg
0030: 74 1B 0D 55 53 2E 4F 52   41 43 4C 45 2E 43 4F 4D  t..ABC.XYZ.COM
0040: A3 81 B3 30 81 B0 A0 03   02 01 01 A1 03 02 01 01  ...0............
0050: A2 81 A3 04 81 A0 35 DF   47 76 64 F4 79 80 7C 2B  ......5.Gvd.y..+
0060: 33 92 54 3B EA C8 F4 DE   62 19 37 AE BF 27 7C 9E  3.T;....b.7..'..
0070: BA 1D E6 BA B0 90 3D 2E   41 7E 41 0D 07 2A 2D AB  ......=.A.A..*-.
0080: 33 88 11 40 69 CE 07 6E   CE 84 C3 B1 95 22 CE 8B  3..@i..n....."..
0090: 76 98 01 61 C3 FA B7 CB   9F 95 C8 1F C7 AF F4 48  v..a...........H
00A0: 87 35 5D 83 CB D2 DA 86   56 2B 80 BC 33 CD A8 B8  .5].....V+..3...
00B0: 7B 8B 5E A2 D5 6C 27 F3   D6 ED 4E 77 17 68 7E C6  ..^..l'...Nw.h..
00C0: 85 00 9D B5 43 87 44 BC   EA F5 67 12 12 96 B4 AE  ....C.D...g.....
00D0: C6 B0 49 5C 08 9E 6F BB   7E E4 91 32 D0 0A 68 FA  ..I\..o....2..h.
00E0: 9E 9C 6A 16 96 45 B6 87   58 86 ED 3B 12 EA 98 B8  ..j..E..X..;....
00F0: 6E A9 F9 3E D4 D1                                  n..>..

Client Principal = client@ABC.XYZ.COM
Server Principal = krbtgt/ABC.XYZ.COM@ABC.XYZ.COM
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 8F B5 AB AE B9 89 F1 5D   

Forwardable Ticket true
Forwarded Ticket true
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Mon Jun 17 03:53:45 PDT 2013
Start Time = Mon Jun 17 06:49:34 PDT 2013
End Time = Tue Jun 18 03:53:45 PDT 2013
Renew Till = null
Client Addresses  Null ]]

I am using a linux based KDC and linux hosts for this.

Is there any reference to what the delegated ticket should be like?

Was it helpful?

Solution

The delegated ticket has been created for the UPN of your machine, if you use MIT/Heimdal KDC (no experience with) it's probably host/fqdn@REALM. In Windows (AD KDC) it is hostname$@REALM. Only that machine is able to extract the delegated credential.

The whole point of delegated credential is that there should be no difference between a delegated and a initial credential for an end service.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top