Kerberos authentication for Web Services
Clemens Vasters
clemensv at newtelligence.com
Mon Jul 15 13:05:14 EDT 2002
"Ken Hornstein" <kenh at cmf.nrl.navy.mil> wrote in message
news:200207081920.g68JKbq29038 at ginger.cmf.nrl.navy.mil...
> I believe Sam Hartman already pointed out that generating a new network
> protocol to communicate with the KDC is a Really Bad Idea. In general,
> that part of Kerberos is supposed to be invisible to you. You could
> do that (I believe you said you wanted to avoid firewalls), but you
> would be making yourself not interoperate with all of the existing code
> that's already out there.
The WS-Security spec by MS/IBM/Verisign assumes that the Kerberos
handshaking is
done using the Kerberos protocol, but that routing of the session ticket is
embedded in
SOAP and that the SOAP body and/or headers are signed and/or encrypted using
the
Kerberos session key.
I don't think that many people in the SOAP space seriously consider
tunneling Kerberos
through SOAP.
> If you mean, "Is anyone using SOAP as a Kerberos client/KDC communication
> protocol", the answer is likely no.
Agree. Wouldn't make any sense whatsoever. MS/IBM/Verisign do actually have
a TGT
type in their WS-Security spec, but my understanding is that this may not
stay.
> If you're asking if anyone is using
> Kerberos to authenticate a SOAP-based protocol ... I don't know.
Yes; that exists. I did a Windows Kerberos SSP based implementation for this
(based on the .NET Framework) available from our site at
http://www.newtelligence.com/wsextensions .
The implementation *should* be interoperable with GSSAPI if someone would
implement
the far portion of WS-Security on Unix (This stuff is mostly thought to
serve as a .NET
Web Services example).
Best Regards
Clemens
newtelligence AG
http://www.newtelligence.com
clemensv >> newtelligence.com
More information about the Kerberos
mailing list