1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Kerberos token

    From m_a_n_j_u_s_k@yahoo.com@m_a_n_j_u_s_k@yahoo.com to kerberos@mit.edu on Fri Mar 22 17:49:58 2024
    From Newsgroup: comp.protocols.kerberos

    Hi,
    I have an application that authenticates against a Proxy server which user Kerberos authentication scheme.
    My application is using SSPI library (github/alexbrainman/sspi-aGolang package to be exact) generate a kerberos token and this token is passed to the Proxy server through Proxy-Authorization header "Proxy-Authorization: Negotiate <kerberos token>"
    My query, for the subsequent calls to the proxy do I need to regenerate this key or can I reuse the one generated the first time ? Or is it that each call to the proxy is treated as a session and that Kerberos token is for that session only ?
    Thanks for any info.
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Ken Hornstein@kenh@cmf.nrl.navy.mil to m_a_n_j_u_s_k@yahoo.com on Fri Mar 22 15:27:23 2024
    From Newsgroup: comp.protocols.kerberos

    Hi, I have an application that authenticates against a Proxy server
    which user Kerberos authentication scheme. My application is using SSPI >library (github/alexbrainman/sspi-aGolang package to be exact) generate
    a kerberos token and this token is passed to the Proxy server through >Proxy-Authorization header "Proxy-Authorization: Negotiate <kerberos
    token>" My query, for the subsequent calls to the proxy do I need to >regenerate this key or can I reuse the one generated the first time ?
    Or is it that each call to the proxy is treated as a session and that >Kerberos token is for that session only ?

    As a general rule, GSSAPI tokens (which in the specific case of Kerberos contain AP-REQ/AP-REP messages) are supposed to be only used once;
    they contain an expiration time in them and are supposed to be checked
    for reuse on the server side (although that may not always happen
    depending on implementation details). You should always get a new
    one by calling the appropriate APIs. Note that assuming your client
    is using a standard ticket cache only the first request will require
    contacting the KDC.

    --Ken
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From m_a_n_j_u_s_k@yahoo.com@m_a_n_j_u_s_k@yahoo.com to kenh on Sun Mar 24 12:52:28 2024
    From Newsgroup: comp.protocols.kerberos

    Thanks Ken,-aI'm getting the token every time I communicate with the proxy. I was wondering if the token could be reused so that I could optimize code.-a Thanks for the clarification .
    Yahoo Mail: Search, organise, conquer

    On Fri, 22 Mar 2024 at 7:27 pm, Ken Hornstein<kenh@cmf.nrl.navy.mil> wrote: >Hi, I have an application that authenticates against a Proxy server
    which user Kerberos authentication scheme.-a My application is using SSPI >library (github/alexbrainman/sspi-aGolang package to be exact) generate
    a kerberos token and this token is passed to the Proxy server through >Proxy-Authorization header "Proxy-Authorization: Negotiate <kerberos
    token>" My query, for the subsequent calls to the proxy do I need to >regenerate this key or can I reuse the one generated the first time ?
    Or is it that each call to the proxy is treated as a session and that >Kerberos token is for that session only ?
    As a general rule, GSSAPI tokens (which in the specific case of Kerberos contain AP-REQ/AP-REP messages) are supposed to be only used once;
    they contain an expiration time in them and are supposed to be checked
    for reuse on the server side (although that may not always happen
    depending on implementation details).-a You should always get a new
    one by calling the appropriate APIs.-a Note that assuming your client
    is using a standard ticket cache only the first request will require
    contacting the KDC.
    --Ken

    --- Synchronet 3.21d-Linux NewsLink 1.2