Delegated Kerberos through a CGI

Delegated Kerberos through a CGI

am 24.04.2008 15:50:04 von AWillemsen

Hi,

I'm trying to get a CGI to use delegated Kerberos authentication. The
environment is IE6 on the client (A) and IIS6 on two servers (B and C).

Delegated authentication is working with ASP, according to
http://support.microsoft.com/kb/314404 but when I substitute the CGI for
"Test1.asp" (both running on the server B in the same virtual directory and
accessed using the same URL) the authentication against server C fails with a
401.1 error.

So, I guess the problem is in the CGI code. The CGI (on server B) gets the
authentication protocol and key from the browser (on server A) in the
HTTP_AUTHORIZATION variable. At the moment, the code is just passing this
protocol and key on to server C in the Authorization: HTTP header. This
works fine for Basic authentication but not for Kerberos. Does the code need
to do something special with the key for Kerberos before passing it on?

Some notes:

1) The CGI is written in portable C++ and accesses HTTP resources directly
through a socket library (Winsock 1.1 on Windows) so has complete control
over the HTTP headers

2) It already supports NTLM/Kerberos/Negotiate (not delegated) with help
from the Windows Security API

3) I have verified that, although the protocol from the browser is
"Negotiate", the key received by the CGI from the browser is Kerberos and not
NTLM (by looking at its length)

Thanks for any help...