kerberos | 易学教程

Validate a user's password using the hash?

阅读更多关于 Validate a user's password using the hash?

问题 i know it's possible to validate user's Windows (e.g. domain) credentials programatically using: LogonUser(username, password) from .NET ValidateCredentials(username, password) or the SSPI API directly There has come a time when i want to persist those credentails. i'm using the Data Protection API (via the CredUI API) to encrypt the password. This means that the encrypted data can only be accessed by the user themselves. My program, running as the user, can then decrypt the protected data.

How to “un-impersonate” (un-delegate?) in Kerberos

阅读更多关于 How to “un-impersonate” (un-delegate?) in Kerberos

问题 I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS. When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I've a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition

Why is kerberos defaulting to NTLM in WCF?

阅读更多关于 Why is kerberos defaulting to NTLM in WCF?

问题 Got a simple WCF demo app that has two console projects--host and client. Both are running on my machine (win 7 box). I'm using the netTcpBinding, which uses windows authentication. The issue is that authentication is downgrading to NTLM from kerberos, and I can't figure out why. If I use <clientCredentials> <windows allowNtlm="true" /> </clientCredentials> on the client side, everything is cool. But if I change that to false , I get the following exception: SecurityNegotiationException: The

How to validate domain credentials (from native code)?

阅读更多关于 How to validate domain credentials (from native code)?

问题 i want to validate a set of credentials against the domain controller. e.g.: Username: joel Password: splotchy Domain: STACKOVERFLOW In .NET 3.5 and newer you can use PrincipalContext.ValidateCredentials(username, password). Otherwise you're in trouble. Following the code in the Microsoft Knowledge Base article How to validate user credentials on Microsoft operating systems, i get to the point where you call AcceptSecurityContext: ss = AcceptSecurityContext( @pAS._hcred, //[in]CredHandle

GSSException: Message stream modified (41)

阅读更多关于 GSSException: Message stream modified (41)

问题 I'm working with an LDAP in forest architecture (all servers and my server are windows). I'm binding to the AD using NTLM authentication. I have a JAVA code that perform the operations against the LDAP server. The code is wrapped as a tomcat servlet. When running the JAVA code directly (just executing the LDAP authentication code as an application), the bind works both against the local domain (local domain = I logged in to windows, and ran this process with a user of this domain) and foreign

使用MacPort安装了Kerberos后ssh无法使用Kerberos验证

阅读更多关于使用MacPort安装了Kerberos后ssh无法使用Kerberos验证

最近想把本配置成公司的开发环境，在登录到服务器的时候遇到了问题，我把Kerberos配置好，kinit以后登录服务器，还是让我输入密码。后来发现是MacPort安装了Kerberos，把MacPort安装的Kerberos（Mac再带Kerberos）停用掉以后就可以使用了。但是因为我使用了MacPort安装SVN，它自动启用了Kerberos，停掉Kerberos后SVN也就没法使用了。所以Kerberos不能停。今天发现我kinit和klist用的都是MacPort安装的Kerberos。其实用Mac自带的Kerberos就能登录。原因是MacPort把它的Path放到了默认Path的前面。它修改的文件时~/.bash_profile和~/.profile两处。只要修改成 export PATH=$PATH:{MacPortPath}这样的就行了。来源： oschina 链接： https://my.oschina.net/u/226270/blog/108405

安装与配置kerberos

阅读更多关于安装与配置kerberos

1、环境说明系统说明：操作系统：centos 6.6 Hadoop版本：CDH 5.5 JDK版本： 1.7.0_67 kerberos安装的组件分配： 74作为master节点，其他节点作为slave节点。我们在74节点安装kerberos Server，在其他节点安装kerberos client. 2、安装和配置kerberos 2.1安装kerberos 在74上安装包 krb5、krb5-server 和 krb5-client。 # yum install krb5-server -y 在其他节点（74、75、76、77）安装 krb5-devel、krb5-workstation： # yum install krb5-devel krb5-workstation -y 2.2修改配置文件 kdc 服务器涉及到三个配置文件： /etc/krb5.conf /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl 配置 Kerberos 的一种方法是编辑配置文件 /etc/krb5.conf。默认安装的文件中包含多个示例项。 [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin

Programmatic Impersonation Delegation For Remote Resources (Double-Hop)

阅读更多关于 Programmatic Impersonation Delegation For Remote Resources (Double-Hop)

问题 I am having a hard time to get Runtime Impersonation to work. Scenario: Anonymous access is disabled in all servers, and windows auth is enabled Client calls Web Api 1 Web Api 1 may call Web Api 2, or the oData Service Call from Web Api 1 to Web Api 2 needs to be impersonated with the Client Credentials Calls from Web Api 1 to oData Service must not be impersonated Web Api 1 calls both the service using Web Request We have Kerberos delegation configured properly What Works (Kinda): If I turn

How to retrieve group membership from a kerberos ticket?

阅读更多关于 How to retrieve group membership from a kerberos ticket?

问题 I am trying to extract group membership information from a Kerberos ticket generated on windows2008r2. In an URL, I found the following statement: Kerberos is also looking into mechanisms to include group membership information in Kerberos authorization data. Although it would be favourable to include group names into ACLs, GSS-API currently does not have a mechanism to support this. It seems Microsoft has extended Kerberos to include group membership based on this URL: http://msdn.microsoft

kerberos 常用命令

阅读更多关于 kerberos 常用命令

假定前提 1：你已经知道kerberos是做什么的，有什么用了。 2：操作者叫 zhangsan 常用命令命令说明 kdestroy 删除票据 kinit zhangsan {需要密码}获取张三的票据票据有效期使用的是默认值，此处是12小时 kinit -l 1h zhangsan 获取张三的票据，指定过期时间是1小时过期时间的单位有 s秒 m分钟 h小时 d天如果时间超过设置最大值，使用最大值 klist 查看票据 Valid starting 生效时间 Expires 过期时间 renew until 在此时间之前都可以免密续期 kinit -R 续期，注意不会改变renew until 客户端的配置文件是 /etc/krb5.conf Kerberos 凭证(ticket) 有两个属性， ticket_lifetime 和 renew_lifetime。其中 ticket_lifetime 表明凭证生效的时限，一般为24小时。在凭证失效前部分凭证可以延期失效时间(即Renewable)， renew_lifetime 表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，对安全认证的服务的后续访问则会失败。参考文章 https://docs.oracle.com/cd/E56344_01/html/E54075/kinit-1.html 中文手册