I'm trying to access Kerberized Hadoop cluster REST APIs from my .NET client using WebRequests. I'm using credentials from my ActiveDirectory domain, which has trust relations with the Hadoop realm:
NetworkCredential credentials = new NetworkCredential("user", "password", "ACTIVEDIRECTORY.DOMAIN");
WebRequest request = WebRequest.Create(System.Uri.EscapeUriString(url));
request.Credentials = credentials;
request.Method = "GET";
WebResponse response = await request.GetResponseAsync();
My workflow works fine as I see 3 responses on my requests:
HTTP/1.1 401 Authentication required
HTTP/1.1 307 TEMPORARY_REDIRECT
HTTP/1.1 200 OK
In my second request I see a Kerberos token sent as a separate security header:
Authorization: Negotiate YIIDXAYGKwYBBQUCoIIDUDCCA...
But this is my UPN account and I want to replace it with the SPN with a keytab instead of password as application will act as a standalone WCF service and I don't want to mess with web config security containers.
So my questions are:
1) Is it possible to use keytab instead my UPN creadentials to generate SPENGO Negotiate token after the first request?
2) Is there any way to use already obtained ticket from by cache in my WebRequest object?
3) How my Kerberos token is been generated? Is it an GSSAPI-encripted by version of my Username-Password?
I was trying to use MIT Kerberos Manager utilites for that by not much progress there.
Thanks in advance
