Kevin Coffman <[EMAIL PROTECTED]> writes: > Our answer to the proxy issue when certificates are used for > authentication is Kerberized Credentials Translation (KCT). The web > server captures the SSL handshake between itself and the client, > forwards that handshake and other info to the KCT (a Kerberized service) > running on a KDC machine which can issue Kerberos service tickets for > the web server to use on the user's behalf.
How does it do this without the user's password? > The handshake is verified by the KCT so that it can verify that the end > user requested service from the web server. The KCT has a list which > specifies which web servers may request what kind of service tickets. This part sounds very similar to WebAuth's approach, but the weblogin server additionally has the user's TGT in a cookie. Failing that, I'm not sure I understand where it's getting the user's password or TGT in order to obtain service tickets. Are you storing state on the login server, maybe? We had a requirement not to do that because we wanted to easily load-balance the login server. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
