Mutual authentication and delegation
Brian Krings
krings at us.ibm.com
Mon Mar 11 10:34:12 EST 2002
Ken, Dave,
Thanks for your replies. I agree with both of you that mutual authentication
is a good thing. Basically, we were using kerberos as an authentication
mechanism through a protected interface and kicking off a "job" on the
server system to run under the credentials of the client. No further
kerberos messages are exchanged. So, educate me if I am wrong, but I don't
think mutual authentication buys us much here. The issue I have is that
GSSAPI does not force this restriction but SSPI did.
Also, David I don't see in the paragraph you mention, where it states that I
must do mutual authentication to do delegation. The paragraph you mention is
below.
"The value of a client being able to authenticate a service is less
understood. Authenticating a service enables the client to trust the
information it gets from the service and to feel secure in sending sensitive
information to the service. The ability of a client to authenticate a
service is particularly important in client/service applications that
support delegation of the client's security context (in other words, the
client authorizes the service to act as its delegate in accessing additional
services or network resources)."
Thanks again, Brian
>> And to further follow up to the original message ....
>>
>> Is there any reason to _NOT_ do mutual authentication?
>>
>>--Ken
"David Lawler Christiansen (NT)" wrote:
> This is mentioned briefly in the third paragraph of
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/
> ad/about_mutual_authentication_using_kerberos.asp
>
> Put simply, delegating to a server is a dangerous business. We require
> MUTUAL_AUTH to ensure that you're really delegating to the correct,
> intended entity.
>
> -----
> This message or posting is provided "AS IS" with no warranties, and
> confers no rights.
> Any opinions or policies stated within are my own and do not necessarily
> constitute those of my employer.
> Harvesting of this address for purposes of bulk email (including "spam")
> is prohibited unless by my expressed prior request. I retaliate
> viciously against spammers and spam sites.
>
> > -----Original Message-----
> > From: Brian Krings [mailto:krings at us.ibm.com]
> > Sent: Friday, March 08, 2002 12:05 PM
> > To: kerberos at mit.edu
> > Subject: Mutual authentication and delegation
> >
> >
> > I have a question about mutual authentication and delegation.
> > I have an application where I would like to delegate
> > credentials. I do not currently do mutual authentication.
> > Using Windows 2000 as my KDC, I cannot get delegated
> > credentials unless I also pass the mutual authentication flag
> > to the SSPI InitializeSecurityContext. I don't see any
> > documentation from Microsoft or in the RFC's that would force
> > this. Does Microsoft have a bug? I do not have to request
> > mutual authentication if my client is a non-Windows machine
> > (using GSSAPI).
> >
> > Thanks in advance for any/all responses.
> > Brian
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list