None (Microsoft KDC)

g.w@hurderos.org g.w at hurderos.org
Tue Jul 20 10:30:22 EDT 2004


On Jul 20,  8:52am, Rouiller Claude wrote:
} Subject: RE: None (Microsoft KDC)

>> -----Original Message-----
>> From: azimuth 1 [mailto:gero10 at caramail.com] 
>> Sent: Monday, July 19, 2004 12:48 PM
>> To: kerberos at mit.edu
>
>> In this white paper  available at the address:
>> www.microsoft.com/windows2000/ 
>> techinfo/howitworks/security/kerbint.asp. 
>> I concluded that a good alternative for a network using Active Directory
>>
>> Samy

> I guess: If you use a non-Windows KDC, you'll have difficulties to
> set up authorization for your Windows users.  (I know MIT Kerberos
> is not designed for authorization, but i try to be pragmatic).
>
> So, I think this is a fairly good approach.
> Claude

Actually we are trying to address the problem of Kerberos not having
an implicit authorization model.  Our design objective, in contrast to
another major player... :-), was to do it in a manner which naturally
leverages LDAP and Kerberos without requiring explicit changes to the
KDC or the contents of the credentials.

Once we have the basics up and running our roadmap is to implement a
model where the service authorization instance identity is encoded in
the service ticket.  This simplifies authorization, particularly with
respect to desktops, yet continues the model of providing a
cryptographic guarantee on the integrity of the directory as a source
of authorization information.

WEB site in the signature has more details with updated code at the
end of the week for anyone interested.

Best wishes for a pleasant and productive day.

}-- End of excerpt from Rouiller Claude

As always,
GW
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org


More information about the Kerberos mailing list