我需要对反向代理和 Kerberos 协议的相互作用有一些高层次的理解。
假设我有一个 Web 服务和一个客户端,它们已经实现并且可以工作。现在我们将 Web 服务放入反向代理后面的网络中。反向代理背后的网络内部身份验证基于 Kerberos。
现在我想知道这个新的基础设施是否会在 Web 服务端和客户端进行一些编程更改?这取决于
在这种情况下,最先进的技术是什么?
提前致谢!
I think I found the answer. Constrained delegation is the feature of the Kerberos protocol I expected to exist.
If we use SSL/TLS with mutual certificate based authentication, then the client will be authenticated by the proxy, who validates client's certificate by a local CA (within the hidden intranet). Afterwards, the proxy will generate Kerberos tickets on behalf of the already authenticated client.
At the server side, the ticket validation should happen at the runtime level (e.g., by IIS).
Hence, if the client is able to consume the service through SSL/TLS, then the Kerberos authentication remains fully transparent for client and the server.