Any tips on how to accomplish the following would be appreciated:
Application A needs to call a SOAP web service (Application B) for a given user. Application A has authenticated the user using our own internal web security processes and knows the ID of the user. Application B requires a user ID and a Kerberos ticket to be passed to it. Can Application A retrieve a ticket from the KDC on behalf of the user to pass along to Application B?
I've been reading a lot about Constrained Delegation, S4U proxies, etc. but am not getting anywhere. This is running in Java 1.6. I'm thinking I need to use JAAS and GSS-API. Has anyone done something like this that could provide insight? I'm not even sure if the setup in Active Directory is correct.
Thank you in advance.
Stanford WebAuth is capable of handling this kind of delegation. It may not map very well into your application, but it at least shows what is possible.
https://github.com/Stanford/webauth
and might give you some hints.