Is Kerberos a good solution for web-single signon
Nikola Milutinovic
Nikola.Milutinovic at ev.co.yu
Sat Mar 13 05:57:45 EST 2004
Christopher Kranz wrote:
>bisibis at pt.lu (paul b) wrote in message news:<1f716d42.0403090729.1755f1a at posting.google.com>...
>
>
>>Hello,
>>I am currently developping a "web single signon"-system and I am
>>thinking about using Kerberos for this propose
>>
>>
>>
>[snip]
>
>
>>Perhaps someone can tell me if Kerberos is really a good solution for
>>web-single signon(and fully transparent to end-users) or if there are
>>more simple possiblities like for example installing a "reverse
>>proxy"?
>>
>>
>>
>
>I was wondering the same thing. In fact I started a simular thread a
>little while ago. The short answer is no, not really. And the reason
>is, HTTP is a stateless protocol. You would need to generate a new
>authenticator for each and every connection. Kerberos kind of assumes
>that once a session is started the connection is persistant.
>
>
There are two ways to go about this. The simplest is to let Apache act
as a Kerberos client, accepting USER/PASS via HTTP/Basic authentication
method. This is actually very bad for two reasons. Firstly, it uses
HTTP/Basic authentication method between browser and web server. This
method is unencrypted and without SSL (HTTPS), it will defeat one of the
basic intentions of Kerberos - encrypted authentication.
A much better way is to implement HTTP/SPNego authentication method. In
that model, browser is a Kerberos client (with user's principal) and
Apache or IIS is a Kerberos server (with server's principal), both
authenticating against some Kerberos KDC (MIT KDC, MS ADS, Heimdal,...).
For this you need both server and browser to be "Kerberos aware". Apache
has "mod_negotiate", IIS on Win2k/2k3 should be ready, since it is on MS
ADS. Of the browsers, IE 6 should be OK, also Mozilla 1.5/1.6
Nix.
More information about the Kerberos
mailing list