On 2012-08-02 22:52, Simo Sorce wrote: > On Thu, 2012-08-02 at 22:14 +0200, Peter Mogensen wrote: >> But then say the web server used HTTP Digest with a nonce and computed >> hash result provided by the KDC. >> Then the password (and access to requesting TGTs) would still only be >> shared by the user and KDC. > Then you need to have a way to share the digest with the KDC, that's not > easy.
I'm aware that this is not easy in the kerberos protocol, but say: * The user(browser) makes a HTTP req. to a webserver. * The webserver connect to the KDC via som comapnion service or a protocol extension to get a nonce (or uses a timestamp) * ... which the webserver then sends to the client in a WWW-authenticate: Digest header * The client reponds via HTTP with the digest. * The webserver sendes a S4U2self with a (say) PA-HTTP-DIGEST containing the user, realm, nonce and digest. * The KDC checks the nonce/digest and confirms the authentication along with a S4U2self service ticket for the webserver. * The webserver serves the resource. (potentially using the service ticket). /Peter ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
