Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

/proc/kallsyms format, sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas

Links

XODOX
Impressum

#1: Delegated Kerberos through a CGI

Posted on 2008-04-24 15:50:04 by AWillemsen

Hi,

I'm trying to get a CGI to use delegated Kerberos authentication. The
environment is IE6 on the client (A) and IIS6 on two servers (B and C).

Delegated authentication is working with ASP, according to
http://support.microsoft.com/kb/314404 but when I substitute the CGI for
"Test1.asp" (both running on the server B in the same virtual directory and
accessed using the same URL) the authentication against server C fails with a
401.1 error.

So, I guess the problem is in the CGI code. The CGI (on server B) gets the
authentication protocol and key from the browser (on server A) in the
HTTP_AUTHORIZATION variable. At the moment, the code is just passing this
protocol and key on to server C in the Authorization: HTTP header. This
works fine for Basic authentication but not for Kerberos. Does the code need
to do something special with the key for Kerberos before passing it on?

Some notes:

1) The CGI is written in portable C++ and accesses HTTP resources directly
through a socket library (Winsock 1.1 on Windows) so has complete control
over the HTTP headers

2) It already supports NTLM/Kerberos/Negotiate (not delegated) with help
from the Windows Security API

3) I have verified that, although the protocol from the browser is
"Negotiate", the key received by the CGI from the browser is Kerberos and not
NTLM (by looking at its length)

Thanks for any help...

Report this message