Verifying if the delegated kerberos credential is proper

StackOverflow https://stackoverflow.com/questions/17152322

  •  31-05-2022
  •  | 
  •  

Question

I am currently trying to enable a spnego based SSO Application. As part of this I seek to get the delegated credentials.

How to verify that the credential I get after GSSContext.acceptSecContext(gss, 0, gss.length); is a delegated credential or not. GSSContext.getCredDelegState() is true.

My primary doubt is whether the server principal in the ticket should be krbtgt/ABC.XYZ.COM@ABC.XYZ.COM or should be the service (HTTP/host.ABC.XYZ.com) for which the ticket was delegated?``

Delegated Credential is.....[GSSCredential: 
client@ABC.XYZ.COM 1.2.840.113554.1.2.2 Initiate [Ticket (hex) = 
0000: 61 81 F3 30 81 F0 A0 03   02 01 05 A1 0F 1B 0D 55  a..0...........A
0010: 53 2E 4F 52 41 43 4C 45   2E 43 4F 4D A2 22 30 20  BC.XYZ.COM."0 
0020: A0 03 02 01 00 A1 19 30   17 1B 06 6B 72 62 74 67  .......0...krbtg
0030: 74 1B 0D 55 53 2E 4F 52   41 43 4C 45 2E 43 4F 4D  t..ABC.XYZ.COM
0040: A3 81 B3 30 81 B0 A0 03   02 01 01 A1 03 02 01 01  ...0............
0050: A2 81 A3 04 81 A0 35 DF   47 76 64 F4 79 80 7C 2B  ......5.Gvd.y..+
0060: 33 92 54 3B EA C8 F4 DE   62 19 37 AE BF 27 7C 9E  3.T;....b.7..'..
0070: BA 1D E6 BA B0 90 3D 2E   41 7E 41 0D 07 2A 2D AB  ......=.A.A..*-.
0080: 33 88 11 40 69 CE 07 6E   CE 84 C3 B1 95 22 CE 8B  3..@i..n....."..
0090: 76 98 01 61 C3 FA B7 CB   9F 95 C8 1F C7 AF F4 48  v..a...........H
00A0: 87 35 5D 83 CB D2 DA 86   56 2B 80 BC 33 CD A8 B8  .5].....V+..3...
00B0: 7B 8B 5E A2 D5 6C 27 F3   D6 ED 4E 77 17 68 7E C6  ..^..l'...Nw.h..
00C0: 85 00 9D B5 43 87 44 BC   EA F5 67 12 12 96 B4 AE  ....C.D...g.....
00D0: C6 B0 49 5C 08 9E 6F BB   7E E4 91 32 D0 0A 68 FA  ..I\..o....2..h.
00E0: 9E 9C 6A 16 96 45 B6 87   58 86 ED 3B 12 EA 98 B8  ..j..E..X..;....
00F0: 6E A9 F9 3E D4 D1                                  n..>..

Client Principal = client@ABC.XYZ.COM
Server Principal = krbtgt/ABC.XYZ.COM@ABC.XYZ.COM
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 8F B5 AB AE B9 89 F1 5D   

Forwardable Ticket true
Forwarded Ticket true
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Mon Jun 17 03:53:45 PDT 2013
Start Time = Mon Jun 17 06:49:34 PDT 2013
End Time = Tue Jun 18 03:53:45 PDT 2013
Renew Till = null
Client Addresses  Null ]]

I am using a linux based KDC and linux hosts for this.

Is there any reference to what the delegated ticket should be like?

Était-ce utile?

La solution

The delegated ticket has been created for the UPN of your machine, if you use MIT/Heimdal KDC (no experience with) it's probably host/fqdn@REALM. In Windows (AD KDC) it is hostname$@REALM. Only that machine is able to extract the delegated credential.

The whole point of delegated credential is that there should be no difference between a delegated and a initial credential for an end service.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top