How to make an app SSO/Kerberos compatible  
Author Message
Laurent4x





PostPosted: Visual C++ General, How to make an app SSO/Kerberos compatible Top

Hello guys,

I had a question for you related to Windows authentication and SSO using kerberos functions of AD.

I'm trying to make kerberos-compatible a little software

The service is a custom web server service, written in Java at the begining (no apache no tomcat etc.. : it's a really quite simple service that gives specific information.)
It's so simple so we can consider it can be in any langage delphi, vb

I've ried to make it work SSO-like :

It uses SPNEGO (Kerberos), and listens on port 80.

To be more precise , I've already setup an clean config :
An AD server (W2K3) on computer "Main",
an host for my application on computer "SRV",
a client trying to connect to my service on that previously mentionned host,
Every computer is logged on the AD network,
I've created every config elements already (via use of SPN; ktab etc.. )
I got my keytabfor my simple plain java app, serving a dumb http service


When IE try to connect it, I response him a http 401 Autorization: Negotiate, so IE goes and get TGS from the AD
and sends it back to me as part of my header :
Authorization: Negotiate YIIFCQYGKwYBBQUCoIIE/TCCBPmgMDAuBgkqh..........


my question is this, my dear experts :
could you help me figure out what to do next


I got a TGS (wrapped with SPNEGO in the http header)
I got my service keytab
What API is to be used to validate this AND get the user name...
How can I extract this krb5 token hidden there beneath the encoding;
The ultimate goal of this for me is (with the help of this kerberos token IE gives me) to know who is using my service so i can send him accurate informations directly (this is what the call SSO right )
All i want is getting this single info : which account is requesting the service

don't matter if i have to do it in Java; or C/C++ or VB
Consider I can pass the token to any native C/C++ or VB code to deal with it natively but i found no sdk , library etc.. dealing with this subject
Any help will be really appreciated

Thanks



Visual C++3  
 
 
Damien Watkins - MSFT





PostPosted: Visual C++ General, How to make an app SSO/Kerberos compatible Top

Hello

Re: How to make an app SSO/Kerberos compatible

Such questions are outside the scope of this forum - for the scope of the VC General forum please look at: http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=19445&SiteID=1

For such issues please use an appropriate newsgroup, potentially one at http://msdn.microsoft.com/newsgroups.

OTP

Thanks

Damien



 
 
mario99





PostPosted: Visual C++ General, How to make an app SSO/Kerberos compatible Top

Hey Laurent,
Have you got any luck getting to the kerberos ticket
I a face a very similar situation, where I need to get to the "ticket cache" to get the TGS session key and the TGS ticket. As far as I understand, it is some how possible to get the tickets of the current user. Did you write a wrapper for the LSA access

cheers
mario