none
Kerberos token for a given spn RRS feed

  • Question

  • < moved from C# forum to here >

    I am using the code below to get a Kerberos token to be later injected into a SAML assertion.
    what I get back is a GSS wrapped Kerberos ticket, but what I need is an MIT File Credential Cache Kerberos ticket.

    I haven't found an alternate way to retrieve a Kerberos token given a specific spn and user credentials. 99% ot the articles are about consuming one or using it as a WS ( not applicable to my case )

    Any help or pointers are greatly appreciated

    KerberosSecurityTokenProvider k1 = new KerberosSecurityTokenProvider(spn, System.Security.Principal.TokenImpersonationLevel.Impersonation, new System.Net.NetworkCredential(userName, password, domain));
    
    KerberosRequestorSecurityToken T1 = k1.GetToken(TimeSpan.FromMinutes(1)) as KerberosRequestorSecurityToken;
    
    sret = Convert.ToBase64String(T1.GetRequest());

    Friday, November 1, 2013 5:49 PM

All replies

  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, November 4, 2013 4:54 AM
    Moderator
  • That'd be great. Thank you.
    Monday, November 4, 2013 6:14 AM
  • Hi,

    May I know what do you mean by GSS wrapped Kerberos ticket and MIT File Credential Cache Kerberos ticket? Based on my experience, if you use standard Windows kerberos token, you can take advantage of WIF's KerberosSecurityTokenHandler (http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.kerberossecuritytokenhandler(v=vs.110).aspx). However, are you using a special kerberos token that is used by MIT? These documents on http://web.mit.edu/kerberos/krb5-current/doc/index.html may help.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, November 4, 2013 3:40 PM
  •    

    the usage of this token is outside of my system. I am trying to get a kerberos token for a given user and spn, convert to base64 and inject it as a SAML assertion to be consumed by the third party application.

    the common file format is described here

    http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html



    when they decode the base64 string i provided above they get the below.

    please advise 


    $ decode-base64 < tmp71A6.tmp > xxx
    $ cp /tmp/xxx /tmp/krb5cc_111
    $ klist -f
    klist: Unsupported credentials cache format version number while setting cache flags(ticket cache FILE:/tmp/krb5cc_111)

    $ dumpasn1 xxx
       0 1278: [APPLICATION 0] {
       4    9:   OBJECT IDENTIFIER '1 2 840 113554 1 2 2'



    Monday, November 4, 2013 5:02 PM