Dear List, we are looking into a multi-hop, single-sign-on authentication in the context of file service and sync & share like front-end to the file service. The scenario would be as follows:
- User is (kerberos-)authenticated to the client OS. - The sync & share client (imagine NextCloud or similar) on the client OS authenticates the user with a Kerberos ticket to the sync & share server: first hop. - The sync & share server accesses (on behalf of the user, i.e. impersonated) the file service (also known as "external storage"), based on a kerberos authentication: second hop. We are a little bit lost, how to accomplish a thing like that. We were in the first place discussing ticket forwarding, but people dislike forwarding of tgt's... So we were directed to the concept of "constrained delegation", sometimes used in Microsoft/AD environments. It looks like that constrained delegation is implemented in MIT since Version 1.8: http://web.mit.edu/KERBEROS/krb5-1.11/doc/mitK5features.html http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation However we are lacking the information, of how to actually implement and use it on the application side. How to implement constrained delegation in an application? Is there an open source application out there, where one could see and learn, how to implement constrained delegation? Does Apache implement anything in that kind, one could build and rely on? Is there a recommended way (library, bindings, anything, ...), in order to implement kerberos-mechanics in a PHP application? Best regards Robert -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
