Configuring Kerberos for Solaris

[Mark Montague]

On Tue, 25 Mar 2003, Wyllys Ingersoll wrote:

> Having "proper" Kerberos (or GSSAPI) authentication to the web server requires
> a browser which also supports the authentication protocol and currently, as far as I
> know, only Microsofts IE supports native GSSAPI authentication and it only works
> when talking to an IIS web server.

This is correct.  CMU has a browser plug-in for this purpose that
goes along with a web server module.  See:
   http://asg.web.cmu.edu/minotaur/

My experience is that it's better to have a solution that does not
require a browser plug-in, since this presents a significant barrier
to non-expert users.  The University of Michigan tried a solution
similar to CMU's back in 1995-1997, but this resulted in a lot of
extra end-user support calls from users who had problems installing
the browser plug-in or didn't know about the need for the browser
plug-in at all.


> > I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing.  My impression was that they had been written but nothing publicly available to test.

Two additional resources to add to the list:

mod_auth_kerb for Apache supports server-side Kerberos 4 and 5
authentication via BasicAuth.  http://modauthkerb.sourceforge.net/

cosign supports a Kerberos-enabled web single sign on solution
via a secure CGI, Apache and IIS authentication filter modules, and
a back-side daemon.  Client webservers can receive Kerberos 5 TGTs
for users from the central cosign server.  Kerberos 4 support is provided
via krb524d.  Disclaimer: cosign is being written at the
University of Michigan and I've contributed to the project, so
I'm biased ;)  cosign is currently functional, all that remains
for a 1.0 release is to complete the documentation.  See
http://weblogin.org/


                Mark Montague
                LS&A Information Technology
                The University of Michigan
                markmont at umich.edu