[DRIVERS-278] Cross Realm authentication using Kerberos Created: 11/Dec/15  Updated: 15/Apr/19  Resolved: 05/Jul/18

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Christian Amor Kvalheim Assignee: Craig Wilson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on CDRIVER-1174 Bring Connection URI usage up to spec... Closed
depends on PYTHON-750 Kerberos SSPI support for Windows Closed
depends on RUBY-1103 Support realm option when using Kerbe... Closed
Related
Driver Compliance:
Key Status/Resolution FixVersion
RUBY-1103 Done mongo-kerberos-2.1.0, 2.4.0, 12_01_17
PYTHON-750 Done 3.3
CDRIVER-1174 Done 1.4.0
PERL-752 Won't Fix

 Description   

Drivers should be able to provide a authentication realm when authenticating using Kerberos. Java example below.

MongoCredential gssAPICred = MongoCredential
.createGSSAPICredential(KERBEROS + "@WINDOWSREALM.COM")
.withMechanismProperty("REALM", "LINUXREALM.COM")
.withMechanismProperty("CANONICALIZE_HOST_NAME", true);

NOTE: this Java example is how this could be exposed in the Java driver. It doesn't actually work this way now. The Java driver does not support a "REALM" mechanism property.

This is to allow for cross realm authentication.



 Comments   
Comment by Jeremy Mikola [ 21/Nov/16 ]

PHPC and HHVM should be satisfied by CDRIVER-1174. Not relevant to PHPLIB.

Comment by Craig Wilson [ 16/Dec/15 ]

.NET supports cross realm authentication on windows. Our docs include a special mechanism property called REALM which allows the server to be in a different realm than the user. With SSPI, this is accomplished by appending the alternate realm to the service principal name in the call to InitializeSecurityContext.

https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/GssapiAuthenticator.cs#L231
https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/GssapiAuthenticator.cs#L262

When the service principal name doesn't have a realm on it, it uses the user's realm.

I do not know how this is done on linux. We dropped gssapi support on linux a while ago cause no one used it and no one complained. However, we'll be needing to add it back pretty soon with the CoreCLR changes.

Comment by Bernie Hackett [ 11/Dec/15 ]

There is a section on cross realm auth here, but it still seems like a server / kdc configuration issue: http://www.kerberos.org/software/adminkerberos.pdf

Comment by Bernie Hackett [ 11/Dec/15 ]

According to the mitkrb5 docs, this is all controlled by the KDCs: http://web.mit.edu/KERBEROS/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Cross_002drealm-Authentication.html

Generated at Thu Feb 08 08:21:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.