Kerberos in Browser based Applications

Thu Mar 5 14:44:39 EST 2009

I documented using Kerberos with an Apache Web server and Firefox a while ago (for Solaris 10), 
but the ideas are very similar for Linux or non-Solaris as long as you stick with Apache, Firefox, 
and a Kerberos package that is based-on MITs codebase.

http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache

The doc may be a bit out of date, but I believe most of the steps are still correct and apply
to newer releases of Solaris as well as Linux, albeit with some slight different pathnames
and settings.

Just getting web-based authentication configured and working is only the beginning, though.
To extend the reach and the use of the tickets to other processes (such as having the
forwarded ticket then be used to authenticate to other backend services on behalf of the user)
would require additional work for both the web server and the middleware that it
needs to talk to.   Getting this to work with Tomcat or other web servers will definitely
require some additional effort and digging around, I don't know what the current state
of the art is in those areas.

-Wyllys

Frank Gruellich wrote:
> Hi,
> 
> I have set up a Kerberos realm.  A user and a service (let's say a
> database) are both included as principals in KDC database and the
> service restricts access to */dbuser at EXAMPLE.COM.  User and service can
> communicate perfectly using a database CLI at the users machine.
> 
> Now these days CLIs aren't "state-of-the-art" anymore and $managers
> refuse to use them.  Let's throw a long discussion and platform
> independent, Web2.0 ready and more buzzwords into the pot and we get the
> need for a browser based web frontend to the service.  And that's the
> point where I do not get the full picture about Kerberos.
> 
> How would that work in a fully kerberized environment using all these
> great features like single-sign-on and never transmitting a password
> over the wire?  For sure, I would have to add the webserver to the KDC
> database, but what then?  Would I add the webserver principal to the ACL
> list of the service and add another authentication/authorization layer
> into the web application?  Could I somehow forward the users ticket for
> the service to the webserver and make the application to give it to the
> service proving this way that the user requested access to the service?
> That would keep all authentication on service side, but is it a good
> idea to give a service ticket to another machine?  Would that even work
> given that the users machine IP# is added to the tickets, AFAICS?
> 
> In the current setup the software involved are MIT Kerberos, an OpenLDAP
> server as service, e.g. phpLDAPadmin as web application, Apache httpd
> running it, and various browsers used to access it running on different
> OS's.  But I'm more interested in the general Kerberos idea how to do
> that.  However, if you point me to specific software I should use in
> this setup I would be happy, too.
> 
> Thanks in advance for some enlightenment.
> 
> Kind regards,