Kerberos user and domain

The control API command KERB_USER sets which Kerberos user to use for which mapping. For each mapping only one kerberos user can be set. Therefore a command with a mapping specification will override any value with the same mapping specification. Similarly a command without mapping specification will override the global kerberos user. Cross-realm authentication is possible with both, Kerberos Constrained Delegation (KCD) and Resource Based Kerberos Constrained Delegation (RBKCD). 

;; KERB_USER
kerberos-user-command       = kerberos-user-command-name "=" kerberos-user-command-value
kerberos-user-command-name  = "KERB_USER"
kerberos-user-command-value = kerberos-user-values
kerberos-user-values        = kerberos-user-value [ "," kerberos-user-values ]
kerberos-user-value         = percent-encoded-domain-and-user [ "@" [ mapping-name ] ]
domain-and-user             = [ domain ] "\" [ user ]

When a Kerberos user is searched for the current mapping the most qualified user will be selected. That means that a user entry with a matching mapping will be preferred over a user entry without a defined mapping.

If a user is given and no domain is specified, a service ticket will be acquired for the user in the current domain. The current domain is defined by the Kerberos environment configured in the back-end group of the issuing request. If a domain name is given, the service ticket will be acquired for the user in the given domain.

Sending the command with an empty user definition deletes the entry for the given mapping. If both the mapping and the user definitions are empty, all entries are removed.

Example:
The pseudo code example below shows how to use this command.

Set user "john" on mapping "mapping_a"

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("john"))+"@mapping_a")

Results in:

Set-Cookie: AL_CONTROL=KERB_USER%3Djohn%40mapping_a

Set user "susan" for all mappings

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("susan")))

Results in:

Set-Cookie: AL_CONTROL=KERB_USER%3Dsusan

Set user "thiago" on all mappings with domain specification (cross-domain)

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("other_domain\\thiago")))))

Results in:

Set-Cookie: AL_CONTROL=KERB_USER%3DOTHER_DOMAIN%255Cthiago

Remove the entry for mapping "mapping_b"

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode(""))+"@mapping_b")

Results in:

Set-Cookie: AL_CONTROL=KERB_USER%3D%40mapping_b

Remove all user entries

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("KERB_USER="+URL_Encode(UTF8_Encode("")))

Results in:

Set-Cookie: AL_CONTROL=KERB_USER%3D