Configuring WWW-Negotiate Credentials delegation

A summary of information collected from the modauthkerb-help@lists.sourceforge.net malinglist

credentials delegation means your credentials are beeing forwarded to the targethost. The application on this host is now able to authenticate to other servers (POP3 for webmailfrontends, LDAP to edit the corporate directory, RDBMS to do real important business stuff) an act as if is you.

In Kerberos5, for example, that means a TGT ist forwarded to the webserver. This server is able now to get all hostickets needed by the serverapplication.

Warning: This means a delegated credential is out of your control! Delegate credentials only to servers you trust!

Prerequirements

1. ensure that GSSAPI-based authentication does work as described in http://www.grolmsnet.de/kerbtut/

2. set

   KrbSaveCredentials on

   in httpd.conf

3. Ensure your browser really does GSSAPI credentials delegation, the following list describes how to configure the different webbrowsers:

• Firefox

  1. Start Firefox, enter

     about:config

     to the address field.

  2. add the hostnames or domainnames you trust for delegation to the network.negotiate-auth.delegation-uris option

     

• Internet Explorer (IE)

  • IE, authenticating against Active Directory (AD)

    quoting Michael B Allen:

    If you have auth working (and it's really doing Kerberos and not NTLM) then the only settings that could be responsible would be the two delegation settings:

    1. In ADU&C [1] go to the Account tab of the service account used by mod_auth_kerb and make sure "Account is trusted for delegation" is checked. This is not set by default.

    2. In ADU&C go to the Account tab of the User account for the client and make sure "Account is sensitive and cannot be delegated" is NOT checked. This is the default setting.

    You can verify that the tickets the client has are Forwardable by running kerbtray.exe on the client. If the client's TGT is not Forwardable delegation will not occur and you need to find out why the TGT you're getting isn't Forwardable.

    Additionally, some accounts will never do delegation. Administrator is one of them (in the wrong hands someone could do serious damage with Administrator's TGT - this is like 'root squash'). Even though the "Account is sensitive and cannot be delegated" flag is not on for Administrator it will still not do delegation. I believe this can be explained by looking at flags of the TGT in kerbtray but I'd have to check that on an XP machine and I'm feeling rather lazy right now :->

    Mike

    [1] This assumes your Windows clients are joined to AD and not Heimdal or MIT. If the later is the case the concepts still apply, the settings are of course different.

  • IE, authenticating against Heimdal KDC

    add attribute Heimdal attribute 'ok-as-delegate':

    kadmin> modify  HTTP/krb-server.int.oldboy
    Max ticket life [1 day]:
    Max renewable life [1 week]:
    Principal expiration time [never]:
    Password expiration time [never]:
    Attributes []:ok-as-delegate
       

  • Additonal IE-related ressources

    • http://technet2.microsoft.com/WindowsServer/en/Library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true

• KDE Konqueror

  Konqueror does support GSSAPI, but not credentials delegation out of the box

  1. get the kdelibs-x-y-z source package.

  2. edit file

     kioslave/http/http.cc

  3. change

     OM_uint32 req_flags = 0;

     to

     OM_uint32 req_flags = GSS_C_DELEG_FLAG ;

  Warning:this changes Konqueror to do always credentials delegation.

  a configureable behaviour (for example based on target-hostname, like Firefox does) will be a lot better. Maybe someone adds a configuration dialog to Konqueror? A feature-request (ID 138414) is in KDEs bugzilla at http://bugs.kde.org/show_bug.cgi?id=138414

Thanks to:

• Michele Baldessari

  contributed the Heimdal-part of Internet Explorer section

Author: Achim Grolms. Feel free to send me corrections and feedback! modkerbtut@grolmsnet.de

last update 2006-12-11