Kerberos newbie questions

Wyllys Ingersoll wyllys.ingersoll at
Wed Dec 4 14:53:23 EST 2002

Oliver Baltz wrote:

>*** post for FREE via your newsreader at ***
>Hi there,
>I hope someone is ready to answer me some "beginner" questions :-) I just
>start asking...
>1. Is Kerberos suitable for securing WebSites? (Background: Single sign-on
>for web-based applications on different domains using different technologies
>like PHP, JSP, ... They're all under a common administrative control)
Only if you use Microsoft IIS and Microsoft IE browser.   They have 
a unique method for doing Kerberos authentication using GSSAPI and SPNEGO.
They did publish an IETF draft describing the method and so, theoretically,
someone could implement the same stuff in Apache and Mozilla, but noone
has yet done so.    If you really want to use Kerberos for Web SSO, you
probably need to go with  Microsoft Active Directory, IIS, and IE.
The security history of IIS and IE is well documented, so choose wisely :)

>2. If so, which browsers respectively operating systems do support
>kerberos-enabled WebSites? Can Kerberos-support for webSites be installed
see above.

>2. Is it possible to use a LDAP directory server to store each user's access
>rights, and let the ticket granting server use LDAP to decide whether it
>grants a ticket or not?
This sounds like you are asking for "authorization" information, which is
distinctly different from Authentication (which Kerberos provides).

Your servers can be coded to use whatever they like to do the authorization
checking, including LDAP lookups of some sort.    Its beyond the scope
of the KDC to decide whether or not a user should have access to a 
service.   The KDC simply manages keys and issues tickets, it does not
perform the authorization checking for the kerberized services for which it
issues tickets.

>3. Are there any commercial implementations supporting all of that?
Windows 2000/XP Active Directory, IIS, IE all together might provide some
of what you are asking for, but perhaps not everything you want.

More information about the Kerberos mailing list