WebISO: the killer kerberos app?
Russ Allbery
rra at stanford.edu
Tue Mar 9 13:33:32 EST 2004
Kevin Coffman <kwc at citi.umich.edu> writes:
> Our answer to the proxy issue when certificates are used for
> authentication is Kerberized Credentials Translation (KCT). The web
> server captures the SSL handshake between itself and the client,
> forwards that handshake and other info to the KCT (a Kerberized service)
> running on a KDC machine which can issue Kerberos service tickets for
> the web server to use on the user's behalf.
How does it do this without the user's password?
> The handshake is verified by the KCT so that it can verify that the end
> user requested service from the web server. The KCT has a list which
> specifies which web servers may request what kind of service tickets.
This part sounds very similar to WebAuth's approach, but the weblogin
server additionally has the user's TGT in a cookie. Failing that, I'm not
sure I understand where it's getting the user's password or TGT in order
to obtain service tickets.
Are you storing state on the login server, maybe? We had a requirement
not to do that because we wanted to easily load-balance the login server.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list