Kerberos authentication for Web Services

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Jul 8 15:20:36 EDT 2002


>I am interested in building a system (similar to Microsoft's .Net My
>Services) that is a family of web services that clients authenticate
>against using Kerberos. The idea is to have clients hit the KDC via
>SOAP calls over SSL and get the ticket. Then they ask the KDC for a
>ticket to communicate with a specific web service. Once I have that, I
>should be able to encrypt all SOAP messages to the web service and
>just pass the username.

I believe Sam Hartman already pointed out that generating a new network
protocol to communicate with the KDC is a Really Bad Idea.  In general,
that part of Kerberos is supposed to be invisible to you.  You could
do that (I believe you said you wanted to avoid firewalls), but you
would be making yourself not interoperate with all of the existing code
that's already out there.

>But this doesn't seem to fit into the idea of how Kerberos
>authentication works. Is anyone doing Kerberos authentication via SOAP
>calls? What do people recommend for an authentication mechanism for a
>family of web services?

If you mean, "Is anyone using SOAP as a Kerberos client/KDC communication
protocol", the answer is likely no.  If you're asking if anyone is using
Kerberos to authenticate a SOAP-based protocol ... I don't know.

--Ken



More information about the Kerberos mailing list