Peter Mogensen <[email protected]> writes: > I'm trying to understand what's going on "under the hood" in WebAuth, > and one thing is puzzling me.
> When I set "WebAuthSubjectAuthType krb5", I can see in wireshark (as > expected) that the TGT from the webkdc-proxy token is used to get a > service ticket. > But, isn't the authenticator in the PA-TGS-REQ AP-REQ structure supposed > to be encrypted with the session key from the TGT ? > So the question is, how do the WebKDC get knowledge of the TGT session > key? It's part of the TGT, which is contained in the webkdc-proxy token. In order to generate the krb5 authenticator, the WebKDC extracts the user's TGT from the webkdc-proxy token and stores it in a Kerberos ticket cache, just as if it had run kinit on behalf of the user. It then does a normal krb5_mk_req call to create a Kerberos authenticator from that TGT for the principal of the WAS, and then stuffs that authenticator into the id token. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
