This is a discussion on Computer to Computer Authentication without Logon - Kerberos ; What is the best way to authenticate a client to a kerberized service, where both the client and server are computers that want to trust eachother mutually, then want to obtain information from eachother at random times throughout a day? ...
What is the best way to authenticate a client to a kerberized service,
where both the client and server are computers that want to trust
eachother mutually, then want to obtain information from eachother at
random times throughout a day? In other words, there will not be users
loging onto either system, and the computers will need to obtain
tickets and authenticate as background processes.
Currently, I'm in the process of creating the kerberized service which
will authenticate a client, which happens to be another computer, and
will not utilize the login and password prompt that an actual user
would use. I believe that kerberos authentication requires the "client"
(in this case a computer) to have a principal and a password to request
a TGT from the KDC. Since there will be no logon prompt, I believe the
only way to achieve this is to utilize a keytab file (i.e.
computer.keytab) to obtain the desired principal name and the
associated password. Once these (password and principal) have been
retrieved from the keytab file a request, from what I understand, is
made to the KDC to get a TGT for that principal. This TGT is stored on
the local machine (client computer) in the credentials cache. A
question here is, do I need a separate credentials cache for this
computer "client" and actual users that log on to the computer? Or,
what is the best way to handle the caching of credentials for multiple
Once I have the TGT for the computer (client) in the credentials cache,
I request a TGS for the client and then send that TGS to the kerberized
service for authentication.
Is this the best way to handle authentication between two computers
desiring to authenticate eachother or is there a better way?