I have been reading about "Kerberos Delegation" for about 3 hours now. It is quite simple concept but there are so many things that I have no answer for them at the moment.
Consider a WEB1 and DB1 as front-end and back-end servers. Also there is CL1 which acts as client. The scenario is really simple. client open website which is located at WEB1, select a report, hit "Generate Report" button, the report will be fetched from DB1 and will be sent to WEB1 and client will see that report in his browser at CL1. That is the whole scenario. So here are the questions:
- Why DB1 is even in need of user credential or TGT based on the concepts of Kerberos Delegation? Can WEB1 not simply presents its own TGT to DB1 and fetch the result that the user need, then present the result to the user? Not even a single touch on user credentials or his TGT or TGS , ...
- Of cource there will be service accounts on DB1 to fetch the results. We call this service account as SVC1. Considering this, WEB1 will ask DB1: "Hey DB1 ! I know SVC1 is over there and have access. Can you tell him to create this X report for me?". The report is prepared and sent back to WEB1 and it presents in browser and says: "There you go CL1. Here is the report you wanted". Considering this example. Why WEB1 should ask tickets on behalf of CL1? Why the bloody hell why ???
- This question is simple. I do not understand the role of 'Kerberos Delegation' here.. :D
Thanks for everybody!