Re: [Perlgssapi-users] SSO on Windows
Brought to you by:
achimgrolms
From: Achim G. <ac...@gr...> - 2012-12-04 12:56:55
|
Hi Sam, kinit is run only once, at user-logon-time to get the "Ticket Granting Ticket" (TGT). This TGT is used to get the "Service Tickets" for eccessing the services (for example ldap, cifs, pop3 etc.) in other Words: "Getting the TGT" is a step that takes place on both systems at logon-time: a) Windows-SSPI: When User logins into his machine by Domain-Account (use kerbtray.exe to make the tickets visible) b) MIT/Heimdal: when running kinit. There is a special case of b) when Kerberos is used to login into the machine, for example by pam-krb5. In this case the TGT can be pulled by the login-procedure with no need to run kinit. Another special case is when accessing a remote-machine with TGT-forwarding: In that case a TGT is transported to the remote-machine with no need to run kinit again on the remote machine. I am pretty unsure if MIT/Heimdal can make direct use of the SSPI-TGTs or wrap the SSPI calls into a GSSAPI-Interface, I am unfamilar with the current development-tree. Best Regards, Achim On Tuesday 04 December 2012, sam...@ba... wrote: > Hi, > > Do I understand correctly that GSSAPI with MIT Kerberos can only work after > some initial run of kinit involving entering the password? (This time I > mean the question for both Windows and Unix.) If so, how is this usually > architectured? When is kinit executed? At system startup? At user logon? > With each process? > > Thanks, > Sam > > -----Original Message----- > From: Ferencik, Samuel: Markets (PRG) > Sent: Thursday, November 29, 2012 9:23 PM > To: 'ac...@gr...'; per...@li... > Subject: RE: [Perlgssapi-users] SSO on Windows > > Hi Achim, > > Thanks for the quick response. > > Does this mean that it's not possible via GSSAPI & KfW? > > Yes, please forward the patches, I will give them a try. Direct integration > with SSPI would be wonderful! > > Thanks, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Thursday, November 29, 2012 9:19 PM > To: per...@li...; Ferencik, Samuel: Markets (PRG) > Subject: Re: [Perlgssapi-users] SSO on Windows > > Hi Sam, > > As far as I know it is possible. > I've patches in my inbox that modify LWP::Authen::Negotiate to make > direct use of the SSPI-API, but I still have integrated the patches. > > Please let me know If you want me to forward the patches to you, > you can give it a try on your own. > > Sorry. > > Best Regards, > Achim > > On Thursday 29 November 2012, sam...@ba... wrote: > > Hi, > > > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > > credentials cache transparently? > > > > We have a Perl application making HTTP requests to an intranet web server > > (IIS). We need the app to authenticate with the server, but we don't want > > to > > > > - (store and) send the password > > > > - run kinit interactively. > > > > The reason is that the application runs non-interactively (as a Windows > > service), so any need to enter a password even once would defeat the > > purpose. > > > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > > there's more to it than that (setting up krb5.ini, perhaps running > > kinit.exe) and I'm not even sure this all will achieve what I need... > > > > Please advise. > > > > Thanks, > > Sam > > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ > > --------------------------------------------------------------------------- >--- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support Improve > your efficiency, and focus on delivering more value-add services Discover > what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |