Login/Register
Generating AD Kerberos tickets without user password
Asked Answered
Solved active-directorykerberosspnego
S

1

2

I am developing a Java EE server application that needs to generate a Kerberos ticket on behalf of a user.

The application I am developing will authenticate the user using alternate credentials (non Active Directory, say biometric), and then needs to somehow generate a Kerberos ticket showing the user is authenticated. I will then use the Kerberos ticket, to generate a SPNEGO token, and insert the token in the HTTP header so the user does not have to be re-authenticated on subsequent requests from the browser.

Is is possible to generate that Kerberos ticket on behalf of the user without the user's raw AD password ? (assume I have access to an AD Service Account login & password). If it is possible, how would I go about doing it? What kind of configuration, permissions are necessary?

Signify answered 10/12, 2012 at 17:35 Comment(0)
L
5

Yes, that is possible. Microsoft has extended Kerberos for this. This is called Services for User (S4U). Your case is called S4U2Self (protocol transition). This will be avaible with Java 8. You can check the ticket and add that code to your Java endorsed classpath. You can read more in the MIT Kerberos wiki.

Lucindalucine answered 11/12, 2012 at 11:3 Comment(2)
Glad I was able to help you. If you get this working, please share your experience. You might ant to upvote my answer too.Lucindalucine
Please note that you will need to obtain the UPN from the client somehow.Lucindalucine

© 2022 - 2024 — McMap. All rights reserved.