kerberos-delegation

问题 I am making a .Net Web API that gets data by calling an SQL server. The user is authenticated via Windows Authentication (Kerberos). I would like the user credentials to be passed to the SQL server via delegation, but the SQL server sees an anonymous user. This is what I have done: IIS application: Windows Authentication and asp.net impersonation enabled. Anonymous and forms authentication disabled. Enable kernel mode authentication is checked. Providers: Negotiate, Kerberos. Use app pool

问题 Myself and another admin have been trying to troubleshoot the double-hop authentication issue on our new reporting server (where the report runs as the authenticated user, but cannot delegate to the data source and returns a 'NT Authority\Anonymous’ authentication error) and we seem to be hitting a dead end. Here is a bit about our setup. We have SSRS 2016 installed on one server, and our data source for reports is on another server. We have done the following steps to try and enable

问题 I'm using YarnClient to programmatically start a job. The cluster i'm running on has been kerberos-ized. Normal map reduce jobs submitted via "yarn jar examples.jar wordcount..." work. The job i'm trying to submit programmatically, does not. I get this error: 14/09/04 21:14:29 ERROR client.ClientService: Error happened during application submit: Application application_1409863263326_0002 failed 2 times due to AM Container for appattempt_1409863263326_0002_000002 exited with exitCode: -1000

问题 It's possible to get a service ticket for the client (remote user) in the server side in order to use that ticket to authenticate against another backend? Scenario: User (IE) ==> AppServer (Websphere, under Linux) ==> Backend (webservice) We have SPNEGO auth running and working in the AppServer The AD user that runs the AppServer has the rights to do the delegation Thanks in advance ===================== UPDATE @Michael-O So ... this should be the step by step?? 1) Login the AppServer User

问题 I am using http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/ for SSO in java. I have KDC Windows server 2008, in that i have created spn by using setspn command for testsso user. And using testsso@MYDOMAIN.COM as principal in jaas.con. I have Tomcat server in Windows 7 machine(within AD). In this i have created one servlet as of jsp(from webmoli itself). I sending browser request for that servlet from 3rd machine Windows XP(within AD). But i get checksum failed error. Stacktrace

问题 I am doing kerberos delegation. I noticed that GSSUtil.createSubject(context.getSrcName(), clientCred) returns a Subject without having credentials in it. Prior to that i've done GSSCredential clientCred = context.getDelegCred(); which returns the credentials. Edit: When I hit my service from one machine in same domain, it works, while if accessed from other machine in same domain, it doesn't. Confused what additional settings are needed on AD ? Any help is highly appreciated. Following is my

问题 I need to support Kerberos constrained delegation for our C++ HTTP server product on Windows using SSPI. For a single process server, the follow workflow can be used and I have a working prototype. 1) Call AcquireCredentialsHandle 2) Call AcceptSecurityContext 3) Call ImpersonateSecurityContext 4) Do delegation 5) Call RevertSecurityContext However, the C++ HTTP server has a master process and a worker process. Both processes run on the same machine and use the same service account, and each

问题 I have an old application that we setup with delegation based kerberos. Everything with the application worked fine till we tried it out on one of our new Windows 10 machines. After awhile, we finally figured out that Credential guard is not playing nice with this old application. According to https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations Kerberos Considerations When you enable Windows Defender Credential Guard, you can

问题 We are trying to use WAFFLE for SSO using a standalone java client with JAAS. We've mentioned waffle.jaas.WindowsLoginModule in our jaas.conf but it is prompting for user name, password which we believe is not an ideal solution for SSO. Can any one suggest how to avoid this? FYI - We aren't using any web/app server. 回答1: I believe you will need both a server and client for SSO. You can have a look at this example, it doesn't use the login module but the underlying WindowsSecurityContext

问题 I am having a hard time to get Runtime Impersonation to work. Scenario: Anonymous access is disabled in all servers, and windows auth is enabled Client calls Web Api 1 Web Api 1 may call Web Api 2, or the oData Service Call from Web Api 1 to Web Api 2 needs to be impersonated with the Client Credentials Calls from Web Api 1 to oData Service must not be impersonated Web Api 1 calls both the service using Web Request We have Kerberos delegation configured properly What Works (Kinda): If I turn