how to request for a service ticket from Key Distribution Center in case of Kerberos authentication
60 views
Skip to first unread message
prince thomas
Oct 30, 2012, 5:03:43 AM10/30/12
to Google-Search-...@googlegroups.com
Hi,
I am using a customised application(.Net) to fetch the results from GSA. This includes the secure search with Kerberos authentication. So the application needs to requests a service ticket for the Google Search Appliance from the Kerberos Key Distribution Center (KDC). Can anybody please help me to understand how exactly i need to form the request URL to get the service ticket from KDC ? Sample C# code or any helping link to achieve the same from C# or vb.net also will help me.
Thanks in anticipation!!
Regards,
Prince
I am using a customised application(.Net) to fetch the results from GSA. This includes the secure search with Kerberos authentication. So the application needs to requests a service ticket for the Google Search Appliance from the Kerberos Key Distribution Center (KDC). Can anybody please help me to understand how exactly i need to form the request URL to get the service ticket from KDC ? Sample C# code or any helping link to achieve the same from C# or vb.net also will help me.
Thanks in anticipation!!
Regards,
Prince
Jeremy Garreau
Oct 30, 2012, 6:44:58 AM10/30/12
to Google-Search-...@googlegroups.com
I would get a look at the Google Search Box for Sharepoint which implements authentication using Kerberos.
prince thomas
Oct 30, 2012, 6:50:36 AM10/30/12
to Google-Search-...@googlegroups.com
Thanks Jeremy !!.
On Tuesday, October 30, 2012 4:14:59 PM UTC+5:30, Jeremy Garreau wrote:
On Tuesday, October 30, 2012 4:14:59 PM UTC+5:30, Jeremy Garreau wrote:
I would get a look at the Google Search Box for Sharepoint which implements authentication using Kerberos.
On Tuesday, October 30, 2012 10:03:43 AM UTC+1, prince thomas wrote:
Hi,
I am using a customised application(.Net) to fetch the results from GSA. This includes the secure search witTh Kerberos authentication. So the application needs to requests a service ticket for the Google Search Appliance from the Kerberos Key Distribution Center (KDC). Can anybody please help me to understand how exactly i need to form the request URL to get the service ticket from KDC ? Sample C# code or any helping link to achieve the same from C# or vb.net also will help me.
Jeremy Garreau
Oct 30, 2012, 6:55:40 AM10/30/12
to Google-Search-...@googlegroups.com
It depends on what you need to achieve actually.
Is your application already authenticating people using IWA ? If no, I believe your application is using IIS, and it's a feature you need to activate in the server role.
If you're already authenticating user, you just need to forward the server HTTP header (except Set-Cookie & Location) of your application which already contains the Kerberos token and follow redirect (for authentication on the security manager). The GSA should receive the authentication token this way and return the search results quite easily.
prince thomas
Oct 30, 2012, 7:34:25 AM10/30/12
to Google-Search-...@googlegroups.com
Hi Jeremy,
Yes, the client is a web application deployed in IIS. The existing application is already doing Kerberos authentication and getting the results. But we are soon going for an upgraded version of GSA. When we tried to use the existing code in test environment with new version of GSA its not returning the results. Later we found that, in order to make it work, the frontend application will need to request a service ticket for the GSA on behalf of the user from KDC and send it along with the search request. I am not sure or confused on what exactly the change i need to make here.
The existing code uses HttpWebRequest and HttpWebResponse to create request and response. The existing code which i use is attached for your reference.
Please let me know if you would require any further details.
Thanks !
Yes, the client is a web application deployed in IIS. The existing application is already doing Kerberos authentication and getting the results. But we are soon going for an upgraded version of GSA. When we tried to use the existing code in test environment with new version of GSA its not returning the results. Later we found that, in order to make it work, the frontend application will need to request a service ticket for the GSA on behalf of the user from KDC and send it along with the search request. I am not sure or confused on what exactly the change i need to make here.
The existing code uses HttpWebRequest and HttpWebResponse to create request and response. The existing code which i use is attached for your reference.
Please let me know if you would require any further details.
Thanks !
Dave Watts
Oct 30, 2012, 10:50:35 AM10/30/12
to Google-Search-...@googlegroups.com
> If you're already authenticating user, you just need to forward the server
> HTTP header (except Set-Cookie & Location) of your application which already
> contains the Kerberos token and follow redirect (for authentication on the
> security manager). The GSA should receive the authentication token this way
> and return the search results quite easily.
I don't think you can simply forward Kerberos tokens like that. The
> HTTP header (except Set-Cookie & Location) of your application which already
> contains the Kerberos token and follow redirect (for authentication on the
> security manager). The GSA should receive the authentication token this way
> and return the search results quite easily.
application will have to impersonate the user and request a Kerberos
token on the user's behalf (just like the GSA does when you directly
visit a Kerberized GSA). The application will need to run with a user
context that allows this impersonation.
Details are described here:
http://stackoverflow.com/questions/4013081/passthrough-impersonation-authentication-with-asp-net-and-tfs-api
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Jeremy Garreau
Oct 30, 2012, 6:18:38 PM10/30/12
to Google-Search-...@googlegroups.com
If the application is running IWA authN (enabled through the documentation you shared), the Kerberos Authorization header should transit within the HTTP header of the application, and forwarding it to the GSA should be enough.
I believe this is what is done in the GSB. This should be fairly easy to verify, checking if 2 IIS applications on different server are sharing the same Kerberos ticket once authenticated.
I guess I'm not clear enough :)
Dave Watts
Oct 30, 2012, 6:37:08 PM10/30/12
to Google-Search-...@googlegroups.com
> If the application is running IWA authN (enabled through the documentation
> you shared), the Kerberos Authorization header should transit within the
> HTTP header of the application, and forwarding it to the GSA should be
> enough.
>
> I believe this is what is done in the GSB. This should be fairly easy to
> verify, checking if 2 IIS applications on different server are sharing the
> same Kerberos ticket once authenticated.
No, I'm pretty sure this is not what happens with the GSA. A client
> you shared), the Kerberos Authorization header should transit within the
> HTTP header of the application, and forwarding it to the GSA should be
> enough.
>
> I believe this is what is done in the GSB. This should be fairly easy to
> verify, checking if 2 IIS applications on different server are sharing the
> same Kerberos ticket once authenticated.
will need a different service ticket for each server within a
Kerberized domain, and you can't just grab a ticket and proxy it to
another server. You can verify this pretty easily if you have a
Kerberized GSA and content server - when you view your tickets with
klist, you'll see one for the content server and another for the GSA.
When you contact the GSA initially to run a secure search, your
machine will contact the KDC for a ticket specifically for the GSA.
Then, after you've been authenticated by the GSA and it runs the
search, it'll filter the results by impersonating you and requesting a
new service ticket - but this ticket will not be represented by an
identical token.
Fortunately, this should be pretty easy to deal with in ASP.NET by
simply setting the appropriate web.config entries and ensuring that
you're allowing the IIS user account can perform impersonation.
Jeremy Garreau
Oct 31, 2012, 2:53:53 AM10/31/12
to Google-Search-...@googlegroups.com
So as I said, enabling IWA on IIS, forwarding the user ticket of the web server to the GSA on behalf of the web server works ?
We're just saying the same things, didn't detailed it enough
Dave Watts
Oct 31, 2012, 12:12:51 PM10/31/12
to Google-Search-...@googlegroups.com
> So as I said, enabling IWA on IIS, forwarding the user ticket of the web server to the GSA on behalf of the web server works ?
>
> We're just saying the same things, didn't detailed it enough
I don't think we're actually saying the same thing, though - and with
>
> We're just saying the same things, didn't detailed it enough
Kerberos, details are very important!
The IIS application CANNOT forward a service ticket. It will have to
fetch a NEW service ticket from the KDC to use on that user's behalf.
If that's actually what you meant, I apologize in advance for
misunderstanding you.
Jared
Nov 7, 2012, 11:50:14 AM11/7/12
to Google-Search-...@googlegroups.com
prince,
Did you ever find a solution? I have run into a similar situation and could use a few pointers.
Did you ever find a solution? I have run into a similar situation and could use a few pointers.
Reply all
Reply to author
Forward
0 new messages