AD Kerberos Ticket authentication
Hi,
I have a pair of questions about authentication/validation of Kerberos tickets against Active Directory.
I needed to validate a Kerberos Ticket obtained in a login to an Active Directory. I have done so with the next steps.
a) I have modified the Krb5LoginModule so as to create the Credentials I needed from a Kerberos TGT obtained previously and stored elsewhere than a credentials cache.
b) The Krb5LoginModule do his job and creates the private credentials (a KerberosTicket class) from these Credentials and stores it in the Subject.
c) Then I use a privileged action to access the Active Directory from LDAP (with GSSAPI security) and it uses the credentials I have created in (a).
This method works and is capable of authenticate against Active Directory. The question is:
Q1 - Someone knows a better aproach to do the same work (authenticate/validate a Kerberos ticket)?
When LDAP authenticates the ticket (is a TGT) it stores another ticket into the private credentials of the Subject. Then if I authenticate again (with the current Subject) I see in the logs that this new credential is a Service Ticket and GSSAPI uses it.
...
Found ticketfor MYUSER@MYCOMPANY.COM to go to ldap/nancyiii.MYCOMPANY.COM@MYCOMPANY.COM expiring on Fri Mar 23 00:02:39 CET 2007
Found ticketfor MYUSER@MYCOMPANY.COM to go to krbtgt/MYCOMPANY.COM@MYCOMPANY.COM expiring on Fri Mar 23 00:02:39 CET 2007
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticketfor MYUSER@MYCOMPANY.COM to go to ldap/nancyiii.MYCOMPANY.COM@MYCOMPANY.COM expiring on Fri Mar 23 00:02:39 CET 2007
Found service ticket in the subjectTicket (hex) =
...
But if I try to use this Service Ticket alone there's a crash saying that failed to find a Kerberos Ticket.
...
Found ticketfor MYUSER@MYCOMPANY.COM to go to ldap/nancyiii.MYCOMPANY.COM@MYCOMPANY.COM expiring on Fri Mar 23 00:02:39 CET 2007
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
...
Q2 - How can I validate a Service Ticket? It's possible to do that with LDAP and GSSAPI?
Thanks in advance and forgive me english.
Jose
