Kerberos and Group membership
Michael B Allen
mba2000 at ioplex.com
Wed Sep 20 11:26:34 EDT 2006
On Wed, 20 Sep 2006 16:35:52 +0300
"Ilan Frenkel" <ilanf at checkpoint.com> wrote:
> Hi,
>
>
>
> Has anyone used Kerberos in Windows 2000\2003 server environment?
Yes, "Active Directory" is basically a KDC and an LDAP server.
> Is it possible to retrieve group information from Active Directory when
> doing Kerberos authentication to W2K or Windows 2003?
Technically, yes. In practice, it's non-trivial.
Tickets issued by Active Directory have group information buiried in
the authorization-data field but it is not easily accessible and even
if you do get it out it's basically a list of numbers which isn't useful
in itself.
The ideal solution is to get the RIDs from the Kerberos ticket and use
DCE/RPC to lookup any names you use in your config, within scripts,
etc. This is what our PlexSSO product does (see sig).
> With LDAP and NTLM it is possible to retrieve group membership information.
Technically, yes. In practice, it's not adequate. Doing proper group
expansion would require recursive queries and possibly referrals. Then
you have to cache and compare large amounts of strings. You can easily
make something look like it's working in a small environment but it's
unlikely to be correct and it doesn't scale.
Also, NTLM is not ideal for Web SSO as it requires communication with
the domain controller and multiple messages to authenticate. Kebreros is
much better. Same LDAP limitations described above apply to both though.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list