Kerberos authentication for Web Services
Steve Langasek
vorlon at dodds.net
Tue Jul 9 12:37:33 EDT 2002
On Mon, Jul 08, 2002 at 08:04:21AM -0700, jeremy redburn wrote:
> I am interested in building a system (similar to Microsoft's .Net My
> Services) that is a family of web services that clients authenticate
> against using Kerberos. The idea is to have clients hit the KDC via
> SOAP calls over SSL and get the ticket. Then they ask the KDC for a
> ticket to communicate with a specific web service. Once I have that, I
> should be able to encrypt all SOAP messages to the web service and
> just pass the username.
Tunnelling KDC exchanges over SSL-encrypted SOAP? Sounds like a protocol
that Intel would love. ;)
I believe that any efforts to tunnel Kerberos over SOAP (as opposed to
using Kerberos to authenticate SOAP) are misguided in the extreme. I
think SOAP itself is rather misguided to begin with, albeit somewhat less
so; but any attempt to implement a security architecture by working around
the existing deployed security infrastructure, rather than with its
implementors, seems certain to fail.
Steve Langasek
postmodern programmer
More information about the Kerberos
mailing list