How to delegate the kerberos client credentials to the server?

问题

It's possible to get a service ticket for the client (remote user) in the server side in order to use that ticket to authenticate against another backend?

Scenario: User (IE) ==> AppServer (Websphere, under Linux) ==> Backend (webservice)

• We have SPNEGO auth running and working in the AppServer
• The AD user that runs the AppServer has the rights to do the delegation

Thanks in advance

=====================

UPDATE

@Michael-O So ... this should be the step by step??

1) Login the AppServer User (the one with rights to do the delegation)

2) Execute a privileged action in his name

3) Set up a context between this user and the remote backend

4) initSecContext using the REMOTE USER SERVICE TICKET

5) As result of the context initialization, we should have the service ticket for the remote user to acces the remote backend

private static String getToken(byte[] remoteUserServiceTicket) {
    String token = null;
    byte[] serviceTicket = null;
    try {

        krb5Oid = new Oid("1.2.840.113554.1.2.2");

        LoginContext loginCtx = new LoginContext("Krb5Login", new LoginCallbackHandler("APPSERVERUSER", "APPSERVERPASSWORD"));
        loginCtx.login();
        Subject subject = loginCtx.getSubject();
        serviceTicket = Subject.doAs(subject, new PrivilegedAction<byte[]>(){
            public byte[] run() {
                try {
                    byte[] delegatedTokenForTheRemoteUser = new byte[0];
                    GSSManager manager = GSSManager.getInstance();
                    GSSName webServerUserName = manager.createName("APPSERVERUSER@MYDOMAIN", GSSName.NT_USER_NAME);
                    GSSCredential webServerCred = manager.createCredential(webServerUserName, 8 * 3600, krb5Oid,
                        GSSCredential.INITIATE_ONLY);
                    GSSName backendName = manager.createName("HTTP/mybackend@MYDOMAIN", null);
                    GSSContext context = manager.createContext(backendName, krb5Oid, webServerCred,
                        GSSContext.DEFAULT_LIFETIME);
                    delegatedTokenForTheRemoteUser = context.initSecContext(remoteUserServiceTicket, 0, remoteUserServiceTicket.length);
                    return delegatedTokenForTheRemoteUser;

                } catch (GSSException e) {
                    e.printStackTrace();
                    return null;
                }
            }
        });
    } catch (Exception e) {
        //exception handling omitted
    }       

    token = Base64.encode(serviceTicket);
    return token;
}

来源：https://stackoverflow.com/questions/37057717/how-to-delegate-the-kerberos-client-credentials-to-the-server