2
votes

I am developing a Java EE server application that needs to generate a Kerberos ticket on behalf of a user.

The application I am developing will authenticate the user using alternate credentials (non Active Directory, say biometric), and then needs to somehow generate a Kerberos ticket showing the user is authenticated. I will then use the Kerberos ticket, to generate a SPNEGO token, and insert the token in the HTTP header so the user does not have to be re-authenticated on subsequent requests from the browser.

Is is possible to generate that Kerberos ticket on behalf of the user without the user's raw AD password ? (assume I have access to an AD Service Account login & password). If it is possible, how would I go about doing it? What kind of configuration, permissions are necessary?

1

1 Answers

4
votes

Yes, that is possible. Microsoft has extended Kerberos for this. This is called Services for User (S4U). Your case is called S4U2Self (protocol transition). This will be avaible with Java 8. You can check the ticket and add that code to your Java endorsed classpath. You can read more in the MIT Kerberos wiki.