Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory)

[DanielMGoldberg]

Hi everyone!

I’m working on a .NET 8 API that uses Kerberos authentication for both Oracle and Active Directory connections. Currently, my middleware calls client.Authenticate() on every API request, but I believe this might not be the most efficient approach, as it leads to re-authentication with each request.

What I’d like to achieve:
I want to configure the middleware to only refresh the Kerberos cache (krbcache) when it’s close to expiration, rather than re-authenticating on every call. This would allow the cache to be kept up-to-date without incurring unnecessary authentication overhead for both Oracle and Active Directory connections.

Has anyone implemented a similar solution or know the best way to manage Kerberos cache renewal efficiently for both Oracle and Active Directory in .NET applications?

Thanks for your help!

[SteveSyfuhs]

The scope of a client is the authenticated credential, so as long as that credential isn’t changing you can just keep either a persistent version of the client around or enable it to cache to disk and tell it to renew tickets. client.CacheInMemory = false; client.CacheServiceTickets = true; client.Cache = // file cache explicitly or by config client.RenewTickets = true; // ordering matters client.Authenticate(...); That should reduce the number of times the client triggers a reauth. It's not perfect though. The client may decide it needs a new ticket for some reason.

…

________________________________ From: DanielMGoldberg ***@***.***> Sent: Sunday, November 10, 2024 8:20:43 AM To: dotnet/Kerberos.NET ***@***.***> Cc: Subscribed ***@***.***> Subject: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384) Hi everyone! I’m working on a .NET 8 API that uses Kerberos authentication for both Oracle and Active Directory connections. Currently, my middleware calls client.Authenticate() on every API request, but I believe this might not be the most efficient approach, as it leads to re-authentication with each request. What I’d like to achieve: I want to configure the middleware to only refresh the Kerberos cache (krbcache) when it’s close to expiration, rather than re-authenticating on every call. This would allow the cache to be kept up-to-date without incurring unnecessary authentication overhead for both Oracle and Active Directory connections. Has anyone implemented a similar solution or know the best way to manage Kerberos cache renewal efficiently for both Oracle and Active Directory in .NET applications? Thanks for your help! — Reply to this email directly, view it on GitHub<#384> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYO7MX4QG4NBLJXKNPTZ76BVZBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBYGU2DQOJRGM4IFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDMNBXGM4DSNBSGOTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[DanielMGoldberg]

Thanks for the detailed guidance. I just wanted to confirm: since I'm not manually generating tickets, my application automatically uses an existing krb5cc cache file. Given this, is setting client.RenewTickets = true sufficient to manage TGT expiration automatically, even if I’m not directly invoking Authenticate()?

Or would I need to explicitly re-authenticate or configure additional settings to ensure the TGT is renewed as needed?

[SteveSyfuhs]

Just don't call Authenticate() but do set the properties in that order and you're fine.

…

________________________________ From: DanielMGoldberg ***@***.***> Sent: Sunday, November 10, 2024 8:42:18 AM To: dotnet/Kerberos.NET ***@***.***> Cc: Comment ***@***.***>; Subscribed ***@***.***> Subject: Re: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384) Thanks for the detailed guidance. I just wanted to confirm: since I'm not manually generating tickets, my application automatically uses an existing krb5cc cache file. Given this, is setting client.RenewTickets = true sufficient to manage TGT expiration automatically, even if I’m not directly invoking Authenticate()? Or would I need to explicitly re-authenticate or configure additional settings to ensure the TGT is renewed as needed? — Reply to this email directly, view it on GitHub<#384 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYJMA7PRZYCRMFAISHTZ76EGVBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRWGQ3TGOBZGQZDHJ3UOJUWOZ3FOKTGG4TFMF2GK>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[DanielMGoldberg]

Hey, after the expiration time of the krb5cc cache, the TGT did not refresh automatically. What am I missing ?

[DanielMGoldberg]

Should I manually retrieve the TGT from the cache using client.Cache.GetCacheItem("krbtgt@..."), then check the remaining time with the EndTime property? If it’s about to expire, I can just call RenewTicket() to refresh the TGT.

[SteveSyfuhs]

It should do it automatically. I'm not sure why it wouldn't.

…

________________________________ From: DanielMGoldberg ***@***.***> Sent: Tuesday, November 12, 2024 2:12:38 AM To: dotnet/Kerberos.NET ***@***.***> Cc: Comment ***@***.***>; Subscribed ***@***.***> Subject: Re: [dotnet/Kerberos.NET] Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory) (Issue #384) Should I manually retrieve the TGT from the cache using ***@***.***"), then check the remaining time with the EndTime property? If it’s about to expire, I can just call RenewTicket() to refresh the TGT. — Reply to this email directly, view it on GitHub<#384 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYIFPQCYK2CPSJIP4IL2AHIBNBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRWGQ3TGOBZGQZDHJ3UOJUWOZ3FOKTGG4TFMF2GK>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.