Kerberos, ActiveDirectory and Token API Combination

I'm looking for some guidance on how best to implement access security to search. My search clients are all Windows apps running in an AD domain. I have configured Elasticsearch with a Kerberos realm for authentication and an Active Directly realm for authorization. I've mapped AD groups to Elasticsearch roles and everything is working as expected. However, I can see that every search request from the client takes two HTTP requests, one that receive the 401 challenge followed by a second that provides the kerberos ticket. To avoid the double hit on every search request I am using the Token api to generate a "session" token that I can send along with all subsequent search requests after the initial kerberos exchange. One concern I had is that I have to give "manage_token" access to the groups that will use the client application in order to be able to call the Token API.

My question is, is this a proper approach to handling SSO in my environment. Is there a better implementation approach that I'm just not aware of or a way to avoid having to use a token?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.