Re: [Perlgssapi-users] SSO on Windows
Brought to you by:
achimgrolms
From: Achim G. <ac...@gr...> - 2012-12-04 13:25:33
|
Hi Sam, that means there is no interactive user? In that case (for example in cronjob) you run kinit with keytab-option and use the key from keytabfile instead of a password. example: achim@beren [~]$ kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de to get a TGT for principal 'HTTP/beren.grolmsnet.de'. Best Regards, Achim On Tuesday 04 December 2012, sam...@ba... wrote: > Thanks again, Achim. > > If a password needs to be entered interactively at log-on, how can GSSAPI > be used on servers? We run our applications either as services, or via > scheduled tasks (Windows)/cron (Linux), under a non-interactive system > account. There is no interaction either at start-up or at logon. > > Thanks, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Tuesday, December 04, 2012 1:57 PM > To: Ferencik, Samuel: Markets (PRG) > Cc: per...@li... > Subject: Re: [Perlgssapi-users] SSO on Windows > > Hi Sam, > > kinit is run only once, at user-logon-time to get the "Ticket Granting > Ticket" (TGT). > > This TGT is used to get the "Service Tickets" for eccessing the services > (for example ldap, cifs, pop3 etc.) > > in other Words: "Getting the TGT" is a step that takes place > on both systems at logon-time: > > a) Windows-SSPI: When User logins into his machine by Domain-Account (use > kerbtray.exe to make the tickets visible) > > b) MIT/Heimdal: when running kinit. > > There is a special case of b) when Kerberos is used to login > into the machine, for example by pam-krb5. > In this case the TGT can be pulled by the login-procedure with > no need to run kinit. > > Another special case is when accessing a remote-machine with > TGT-forwarding: In that case a TGT is transported to the remote-machine > with no need to run kinit again on the remote machine. > > I am pretty unsure if MIT/Heimdal can make direct use of the SSPI-TGTs > or wrap the SSPI calls into a GSSAPI-Interface, I am unfamilar with the > current development-tree. > > Best Regards, > Achim > > On Tuesday 04 December 2012, sam...@ba... wrote: > > Hi, > > > > Do I understand correctly that GSSAPI with MIT Kerberos can only work > > after some initial run of kinit involving entering the password? (This > > time I mean the question for both Windows and Unix.) If so, how is this > > usually architectured? When is kinit executed? At system startup? At user > > logon? With each process? > > > > Thanks, > > Sam > > > > -----Original Message----- > > From: Ferencik, Samuel: Markets (PRG) > > Sent: Thursday, November 29, 2012 9:23 PM > > To: 'ac...@gr...'; per...@li... > > Subject: RE: [Perlgssapi-users] SSO on Windows > > > > Hi Achim, > > > > Thanks for the quick response. > > > > Does this mean that it's not possible via GSSAPI & KfW? > > > > Yes, please forward the patches, I will give them a try. Direct > > integration with SSPI would be wonderful! > > > > Thanks, > > Sam > > > > -----Original Message----- > > From: Achim Grolms [mailto:ac...@gr...] > > Sent: Thursday, November 29, 2012 9:19 PM > > To: per...@li...; Ferencik, Samuel: Markets > > (PRG) Subject: Re: [Perlgssapi-users] SSO on Windows > > > > Hi Sam, > > > > As far as I know it is possible. > > I've patches in my inbox that modify LWP::Authen::Negotiate to make > > direct use of the SSPI-API, but I still have integrated the patches. > > > > Please let me know If you want me to forward the patches to you, > > you can give it a try on your own. > > > > Sorry. > > > > Best Regards, > > Achim > > > > On Thursday 29 November 2012, sam...@ba... wrote: > > > Hi, > > > > > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > > > credentials cache transparently? > > > > > > We have a Perl application making HTTP requests to an intranet web > > > server (IIS). We need the app to authenticate with the server, but we > > > don't want to > > > > > > - (store and) send the password > > > > > > - run kinit interactively. > > > > > > The reason is that the application runs non-interactively (as a Windows > > > service), so any need to enter a password even once would defeat the > > > purpose. > > > > > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > > > there's more to it than that (setting up krb5.ini, perhaps running > > > kinit.exe) and I'm not even sure this all will achieve what I need... > > > > > > Please advise. > > > > > > Thanks, > > > Sam > > > > _______________________________________________ > > > > This e-mail may contain information that is confidential, privileged or > > otherwise protected from disclosure. If you are not an intended recipient > > of this e-mail, do not duplicate or redistribute it by any means. Please > > delete it and any attachments and notify the sender that you have > > received it in error. Unless specifically indicated, this e-mail is not > > an offer to buy or sell or a solicitation to buy or sell any securities, > > investment products or other financial product or service, an official > > confirmation of any transaction, or an official statement of Barclays. > > Any views or opinions presented are solely those of the author and do not > > necessarily represent those of Barclays. This e-mail is subject to terms > > available at the following link: www.barclays.com/emaildisclaimer. By > > messaging with Barclays you consent to the foregoing. Barclays offers > > premier investment banking products and services to its clients through > > Barclays Bank PLC, a company registered in England (number 1026167) with > > its registered office at 1 Churchill Place, London, E14 5HP. This email > > may relate to or be sent from other members of the Barclays Group. > > > > _______________________________________________ > > > > ------------------------------------------------------------------------- > >-- --- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > > Remotely access PCs and mobile devices and provide instant support > > Improve your efficiency, and focus on delivering more value-add services > > Discover what IT Professionals Know. Rescue delivers > > http://p.sf.net/sfu/logmein_12329d2d > > _______________________________________________ > > Perlgssapi-users mailing list > > Per...@li... > > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users > > --------------------------------------------------------------------------- >--- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support Improve > your efficiency, and focus on delivering more value-add services Discover > what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |