Question: Optimizing Kerberos Authentication for API Connections (Oracle & Active Directory)
Opened this issue · 6 comments
Hi everyone!
I’m working on a .NET 8 API that uses Kerberos authentication for both Oracle and Active Directory connections. Currently, my middleware calls client.Authenticate() on every API request, but I believe this might not be the most efficient approach, as it leads to re-authentication with each request.
What I’d like to achieve:
I want to configure the middleware to only refresh the Kerberos cache (krbcache) when it’s close to expiration, rather than re-authenticating on every call. This would allow the cache to be kept up-to-date without incurring unnecessary authentication overhead for both Oracle and Active Directory connections.
Has anyone implemented a similar solution or know the best way to manage Kerberos cache renewal efficiently for both Oracle and Active Directory in .NET applications?
Thanks for your help!
Thanks for the detailed guidance. I just wanted to confirm: since I'm not manually generating tickets, my application automatically uses an existing krb5cc cache file. Given this, is setting client.RenewTickets = true sufficient to manage TGT expiration automatically, even if I’m not directly invoking Authenticate()?
Or would I need to explicitly re-authenticate or configure additional settings to ensure the TGT is renewed as needed?
Hey, after the expiration time of the krb5cc cache, the TGT did not refresh automatically. What am I missing ?
Should I manually retrieve the TGT from the cache using client.Cache.GetCacheItem("krbtgt@..."), then check the remaining time with the EndTime property? If it’s about to expire, I can just call RenewTicket() to refresh the TGT.