Kerberos authentication for Web Services

Frank Balluffi frank.balluffi at db.com
Mon Jul 8 15:03:25 EDT 2002


I am not working on Kerberos authentication via SOAP, but it is my understanding that IBM's and Microsoft's WS-Security adds XML Signature and XML Encryption to SOAP and that authentication is implicit in each message, and that you will need to explicitly send KRB_AP_REQ and KRB_AP_REP messages to authenticate before you can send KRB_PRIV and KRB_SAFE messages via SOAP.

Frank



                                                                                                                                       
                      jredburn at wso.will                                                                                                
                      iams.edu (jeremy         To:       kerberos at mit.edu                                                              
                      redburn)                 cc:                                                                                     
                      Sent by:                 Subject:  Kerberos authentication for Web Services                                      
                      kerberos-admin at mi                                                                                                
                      t.edu                                                                                                            
                                                                                                                                       
                                                                                                                                       
                      07/08/2002 11:04                                                                                                 
                      AM                                                                                                               
                                                                                                                                       
                                                                                                                                       




I am interested in building a system (similar to Microsoft's .Net My
Services) that is a family of web services that clients authenticate
against using Kerberos. The idea is to have clients hit the KDC via
SOAP calls over SSL and get the ticket. Then they ask the KDC for a
ticket to communicate with a specific web service. Once I have that, I
should be able to encrypt all SOAP messages to the web service and
just pass the username.

But this doesn't seem to fit into the idea of how Kerberos
authentication works. Is anyone doing Kerberos authentication via SOAP
calls? What do people recommend for an authentication mechanism for a
family of web services?

thanks.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos




--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.





More information about the Kerberos mailing list