[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

On Thu, 29 May 2008 17:02:23 -0500
"Douglas E. Engert" <deengert@anl.gov> wrote:

> Michael B Allen wrote:
> > On Thu, 29 May 2008 14:11:32 -0500
> > "Douglas E. Engert" <deengert@anl.gov> wrote:
> > 
> >> mod_auth_kerb with delegation is another example. Every new connection
> >> has to get a new TGT to delegate! That could be one per web page!
> > 
> > I'm curious. Why does mod_auth_kerb need to get a TGT to do
> > delegation? Doesn't it just used the delegated credential emitted
> > by gss_accept_sec_context?
> I did not word that right. The overhead is on the client side and its
> KDC. The client side of spnego would get the TGT to delegate to mod_auth_kerb.
> But the Kerberos client does not cache the TGTs to be delegated, so ecah
> time a spnego connect is made the client will get a new TGT. The delegated
> TGT may have channel bindings or some other flags that means it is
> different that the the main users TGT.

Ahh, yes, but I think that's specific to non non-Windows systems. Someone
really should fix that actually. FF needs the PIPE ccache code I was
playing with.


Michael B Allen
PHP Active Directory SPNEGO SSO