How can my webapp get the kerberos token of the logged in user?

Mar 31, 2011 at 11:15 AM

I'm using Waffle's NegotiateSecurityFilter with the Negotiate protocol on Apache Tomcat (Waffle 1.4).

How can my webapp get the kerberos token of the logged in user? Is this information somehow accessible?

Mar 31, 2011 at 1:02 PM

There's no code in Waffle to do this, but it's probably possible. I would ask about how to do this generally in Win32 during Negotiate on the server-side. Then the code can be implemented with JNA.

Mar 31, 2011 at 1:30 PM

Okay, so the token used in NegotiateSecurityFilterProvider is a just a preliminary token and not the end result?

Mar 31, 2011 at 1:32 PM

That token may contain what you want, but I don't know what its full structure is. As far as Waffle is concerned it's a black box.

Mar 31, 2011 at 2:24 PM

The whole thing is not only for Waffle a black box, but for me too ;-)

I have to admit, I don't exactly know what I want to accomplish. The background is related to my other question consuming a web service with the users credentials

I thought the first step would be to get the Kerberos token. According to this How To: Use Impersonation and Delegation in ASP.NET 2.0 it says that the WindowsIdentity is created by using a logon token returned from the Win32 LogonUser API. The NegotiateSecurityFilterProvider returns a IWindowsIdentity created from a WindowsSecurityContext which is initialized by a token, so I thought that this could be the token, but maybe the WindowsIdentity contains the real resulting token.

After having this token, the next step would be to call the web service. An api from Microsoft for calling the web service uses a class TokenCredentials which accepts a String securityToken. I wanted to give it a try and thought that maybe this is the token which Waffle uses in the NegotiateSecurityFilterProvider. But maybe I'm at a dead end.

Apr 11, 2011 at 4:20 AM

Figure out how to call that web service as the "current user". Maybe that APi that uses TokenCredentials can use something else? Or maybe there's a way to obtain the TokenCredentials from the "current user"? Then waffle can just impersonate and you're done.