add kerberos ticket to windows kerberos ticket strore

Question

I'm looking for an WINAPI to add a new kerberos item to windows internal ticket store.

I'd like to offload the whole authentication process to a proprietary component and not rely on the OS kerberos implementation, and get the following items:

• Client-to-server ticket encrypted using the resource's secret key.
• A new Authenticator encrypted using Client/Server Session Key

I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself.

Also, the resource return another items for additional requests from the client which is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key

Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.

Here's an image to illustrate my case :

Thanks for the help !

Answer 1

Hello @Z K

Thank you for posting this concern on this community space.

I have read your case scenario description and I would like to know if you try this process stated down below (If not mistaken it is cross-authentication or cross realm authentication for Kerberos):

https://www.sharpencode.com/article/WebApi/authentication-and-authorization/windows-authentication-in-web-api

https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Cross_002drealm-Authentication.html

https://documentation.its.umich.edu/node/1051

https://its.umich.edu/accounts-access/active-directory/design/kerberos-interoperability#:~:text=What%20Is%20Pass%2DThrough%20Authentication,protected%20by%20AD%20and%20Kerberos.

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.