Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) #384
Comments
|
The scope of a client is the authenticated credential, so as long as that credential isn’t changing you can just keep either a persistent version of the client around or enable it to cache to disk and tell it to renew tickets.
client.CacheInMemory = false;
client.CacheServiceTickets = true;
client.Cache = // file cache explicitly or by config
client.RenewTickets = true; // ordering matters
client.Authenticate(...);
That should reduce the number of times the client triggers a reauth. It's not perfect though. The client may decide it needs a new ticket for some reason.
…________________________________
From: DanielMGoldberg ***@***.***>
Sent: Sunday, November 10, 2024 8:20:43 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384)
Hi everyone!
I’m working on a .NET 8 API that uses Kerberos authentication for both Oracle and Active Directory connections. Currently, my middleware calls client.Authenticate() on every API request, but I believe this might not be the most efficient approach, as it leads to re-authentication with each request.
What I’d like to achieve:
I want to configure the middleware to only refresh the Kerberos cache (krbcache) when it’s close to expiration, rather than re-authenticating on every call. This would allow the cache to be kept up-to-date without incurring unnecessary authentication overhead for both Oracle and Active Directory connections.
Has anyone implemented a similar solution or know the best way to manage Kerberos cache renewal efficiently for both Oracle and Active Directory in .NET applications?
Thanks for your help!
—
Reply to this email directly, view it on GitHub<#384> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYO7MX4QG4NBLJXKNPTZ76BVZBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBYGU2DQOJRGM4IFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDMNBXGM4DSNBSGOTXI4TJM5TWK4VGMNZGKYLUMU>.
You are receiving this email because you are subscribed to this thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Thanks for the detailed guidance. I just wanted to confirm: since I'm not manually generating tickets, my application automatically uses an existing krb5cc cache file. Given this, is setting client.RenewTickets = true sufficient to manage TGT expiration automatically, even if I’m not directly invoking Authenticate()? Or would I need to explicitly re-authenticate or configure additional settings to ensure the TGT is renewed as needed? |
|
Just don't call Authenticate() but do set the properties in that order and you're fine.
…________________________________
From: DanielMGoldberg ***@***.***>
Sent: Sunday, November 10, 2024 8:42:18 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: Comment ***@***.***>; Subscribed ***@***.***>
Subject: Re: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384)
Thanks for the detailed guidance. I just wanted to confirm: since I'm not manually generating tickets, my application automatically uses an existing krb5cc cache file. Given this, is setting client.RenewTickets = true sufficient to manage TGT expiration automatically, even if I’m not directly invoking Authenticate()?
Or would I need to explicitly re-authenticate or configure additional settings to ensure the TGT is renewed as needed?
—
Reply to this email directly, view it on GitHub<#384 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYJMA7PRZYCRMFAISHTZ76EGVBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRWGQ3TGOBZGQZDHJ3UOJUWOZ3FOKTGG4TFMF2GK>.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Hey, after the expiration time of the krb5cc cache, the TGT did not refresh automatically. What am I missing ? |
|
Should I manually retrieve the TGT from the cache using client.Cache.GetCacheItem("krbtgt@..."), then check the remaining time with the EndTime property? If it’s about to expire, I can just call RenewTicket() to refresh the TGT. |
|
It should do it automatically. I'm not sure why it wouldn't.
…________________________________
From: DanielMGoldberg ***@***.***>
Sent: Tuesday, November 12, 2024 2:12:38 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: Comment ***@***.***>; Subscribed ***@***.***>
Subject: Re: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384)
Should I manually retrieve the TGT from the cache using ***@***.***"), then check the remaining time with the EndTime property? If it’s about to expire, I can just call RenewTicket() to refresh the TGT.
—
Reply to this email directly, view it on GitHub<#384 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYIFPQCYK2CPSJIP4IL2AHIBNBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRWGQ3TGOBZGQZDHJ3UOJUWOZ3FOKTGG4TFMF2GK>.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi everyone!
I’m working on a .NET 8 API that uses Kerberos authentication for both Oracle and Active Directory connections. Currently, my middleware calls client.Authenticate() on every API request, but I believe this might not be the most efficient approach, as it leads to re-authentication with each request.
What I’d like to achieve:
I want to configure the middleware to only refresh the Kerberos cache (krbcache) when it’s close to expiration, rather than re-authenticating on every call. This would allow the cache to be kept up-to-date without incurring unnecessary authentication overhead for both Oracle and Active Directory connections.
Has anyone implemented a similar solution or know the best way to manage Kerberos cache renewal efficiently for both Oracle and Active Directory in .NET applications?
Thanks for your help!
The text was updated successfully, but these errors were encountered: