This is a discussion on Re: Application to extract Kerberos Cerdential - Kerberos ; On Wed, Sep 10, 2008 at 3:59 PM, Rahul Kohli wrote: > Hi Henry, > > Thanks for your response. > > This C application (shared library) will be used for validating the kerberos credential of a user with KDC ...
On Wed, Sep 10, 2008 at 3:59 PM, Rahul Kohli
> Hi Henry,
> Thanks for your response.
> This C application (shared library) will be used for validating the kerberos credential of a user with KDC on Microsoft AD 2003.
> Please suggest how we can use/develop a C application to validate user's kerberos credentials with KDC located on different system.
You don't need to communicate with the KDC to validate the Kerberos
token supplied by an HTTP client. You only need to use the service
credential to decrypt the authenticator in the token and verify that
the timestamp is within an acceptable range. And, depending on the
system you're using, there are C routines that will perform all of
these details for you. For example, UNIX systems usually come with a
library called GSSAPI that have a gss_accept_sec_context function that
does what you want. Sometimes GSSAPI is part of the Kerberos
installation (e.g. on Linux GSSAPI usually comes with the MIT Kerberos
packages). On Windows, there's something called SSPI which has a very
similar function called AcceptSecurityContext.
> --- On Wed, 9/10/08, Henry B. Hotz
> From: Henry B. Hotz
> Subject: Re: Application to extract Kerberos Cerdential
> To: "email@example.com"
> Date: Wednesday, September 10, 2008, 10:45 PM
> On Sep 10, 2008, at 9:17 AM, firstname.lastname@example.org wrote:
>> Message: 1
>> Date: Wed, 10 Sep 2008 07:05:39 -0700 (PDT)
>> From: Rahul Kohli
>> Subject: Application to extract Kerberos Cerdentials
>> To: email@example.com
>> Message-ID: <firstname.lastname@example.org>
>> Content-Type: text/plain; charset=iso-8859-1
>> Hi All,
>> I am using Kerberos Client installed on HP-UX with?Active Directory
>> 2003 (KDC Server).?I have verified the setup to be?working fine
>> using Kinit and Klist utilities installed with Kerberos Client.
>> I need to develop a sample C/C++ application that can extract User's
>> kerberos credentials from the browser HTTP request and pass it to
>> Kerberos Client for validation with KDC Server.
>> Please suggest how can we extract user's kerberos credentials from
>> Browser. Where can I get details of the API's to be used for this
> I think this kind of question belongs on the email@example.com list,
> since it's not specific to the MIT implementation. I've set the reply-
> to header accordingly.
> I don't understand the application you're proposing. Is it possible
> that what you want is really a web server module like mod_auth_kerb?
> I can't imagine why you would want a *browser* to check a user's
> credentials because the user owns the browser and can run whichever
> one he/she wants, including a custom-modified one.
> For the normal usage scenarios the "extraction" process happens
> automatically as part of some other task. If you can tell us what
> you're trying to do, then perhaps we can point you at the right API's.
> krbdev mailing list firstname.lastname@example.org
> Kerberos mailing list Kerberos@mit.edu
Michael B Allen
PHP Active Directory SPNEGO SSO