Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Goal: To delegate authentication of the client identity to the front-end server to access the resources or services of the back-end server by using a Kerberos-forwarded TGT ([RFC4120] section 2.8).
Context of Use: The front-end server has to access resources or services on the back-end server on behalf of the identity of the client application to serve the client application request.
Direct Actor: The client application.
Primary Actor: The user that is running the client application.
Supporting Actors: The AA, the back-end server, and the account DB.
Preconditions:
The user that started the client application is authenticated to the AA, and the client application has obtained a forwarded TGT and a service ticket for the front-end server, as described in [MS-SFU] section 1.3.3.
The identities of the user, the front-end server, and the back-end server are configured in the account DB.
The client application, the front-end server, the back-end server, and the AA can communicate with each other.
Minimal Guarantee: When the front-end server fails to prove the identity of the user that is running the client application, the front-end server receives an error message that indicates the reason for the failure.
Success Guarantee: The front-end server can prove the identity of the user that is running the client application to the back-end server application.
Trigger: The front-end server application has to access a protected resource or a service on the back-end server on behalf of the identity of the user that is running the client application.
Main Success Scenario:
The client application makes the request to the front-end server by presenting a service ticket and a forwarded TGT.
To fulfill the client application request, the front-end server has to access the back-end server to perform some action on behalf of the identity of the user that is running the client application. The front-end server application asks the AA for a service ticket for the back-end server in the name of the client's identity by presenting the forwarded TGT that was received in step 1.
The AA validates the forwarded TGT contained in the request and returns a service ticket for the back-end server application.
The front-end server submits the service ticket from step 3 to the back-end server to prove the identity of the user that is running the client application.
The back-end server verifies the identity and responds to the front-end server.
The front-end server responds to the client application.
Postcondition: The front-end server can successfully prove the identity of the user that is running the client application to the back-end server application.
Extensions: None.