[DRIVERS-278] Cross Realm authentication using Kerberos Created: 11/Dec/15 Updated: 15/Apr/19 Resolved: 05/Jul/18 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Christian Amor Kvalheim | Assignee: | Craig Wilson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||
| Description |
|
Drivers should be able to provide a authentication realm when authenticating using Kerberos. Java example below.
NOTE: this Java example is how this could be exposed in the Java driver. It doesn't actually work this way now. The Java driver does not support a "REALM" mechanism property. This is to allow for cross realm authentication. |
| Comments |
| Comment by Jeremy Mikola [ 21/Nov/16 ] |
|
PHPC and HHVM should be satisfied by |
| Comment by Craig Wilson [ 16/Dec/15 ] |
|
.NET supports cross realm authentication on windows. Our docs include a special mechanism property called REALM which allows the server to be in a different realm than the user. With SSPI, this is accomplished by appending the alternate realm to the service principal name in the call to InitializeSecurityContext. https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/GssapiAuthenticator.cs#L231 When the service principal name doesn't have a realm on it, it uses the user's realm. I do not know how this is done on linux. We dropped gssapi support on linux a while ago cause no one used it and no one complained. However, we'll be needing to add it back pretty soon with the CoreCLR changes. |
| Comment by Bernie Hackett [ 11/Dec/15 ] |
|
There is a section on cross realm auth here, but it still seems like a server / kdc configuration issue: http://www.kerberos.org/software/adminkerberos.pdf |
| Comment by Bernie Hackett [ 11/Dec/15 ] |
|
According to the mitkrb5 docs, this is all controlled by the KDCs: http://web.mit.edu/KERBEROS/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Cross_002drealm-Authentication.html |