Cross-Realm authentication
Tillman Hodgson
tillman at seekingfire.com
Fri Jul 2 12:23:58 EDT 2004
On Fri, Jul 02, 2004 at 10:47:56AM -0400, Ken Hornstein wrote:
> >Expert: "You can't put your SSO in production, because Kerberos cross realm
> >authentication doesn't work!"
> >Me: "Is it an issues in Microsoft Kerberos?"
> >Expert: "No. The Kerberos protocol has been so poorly designed, that
> >cross-realm authentication just doesn't work at all. Maybe Microsoft has
> >implemented something proprietary to make it work, but it would not be
> >standard!".
>
> What a load of crap.
>
> I personally work with a group of people (about 5000 users) which involve
> 20 sites, approximately 7-8 Kerberos realms, which make very heavy use
> of cross-realm authentication in production, and it works just fine.
>
> I also know of plenty of other sites that use cross-realm authentication
> all of the time.
Absolutely. In my case, *all* Kerberos authentication is cross-realm, by
design. The servers sit in one realm and the various organizations that
need to interact with them do so via cross-realm trust (including my own
administrative access, though kadmin is the exception to this rule). I
don't want to maintain their principals, I want things to Just Work(tm).
This crosses implementations (various releases of MIT and Heimdal,
though not AD yet), operating systems (FreeBSD, NetBSD, RedHat, Debian,
mandrake, etc) and hardware platforms (64-bit and 32-bit, both endians
are represented). It's been truly portable for us, and that's the main
reason why we use it.
I plan on adding in an AD domain soon, and my planning so far seems to
show that it's not that complicated. And I consider myself relatively
wet behind the ears on Kerberos compared to some of the folks on this
list :-)
Truly, we have more issues with designing portable authorization data
than we do with authentication. I suspect that the original poster's
Experts are expert in something other than Kerberos.
-T
--
> Life is once again okay, if non-standard.
-- Takis Skagos, on a LOSURS mailing list
More information about the Kerberos
mailing list