SSO

Sharad Desai ssdesai1 at gmail.com
Thu Jul 17 11:01:02 EDT 2008


Hello,

Thanks for your responses.

> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> have SPNEGO built in, and can use the Kerberos in Active Directory.
> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
> see the about:config and the network.negotiate-auth.trusted-uris option.

I would have definitely considered this, but the group that I am working
with does not want to include AD in any solution.

Also, (I'm not sure how familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.

Thanks again.




On 7/17/08, Javier Palacios <javiplx at gmail.com> wrote:
>
> >> I wanted to use Kerberos to authenticate the user.  After research, I
> >> thought this would make sense.  I saw some suggestions using CoSign or
> >> WebAuth.  I can't use WebAuth because it is only for Linux, and CoSign
> is
> >> written for Apache (but there are ISAPI filters i guess for IIS) and I
> am
> >> running off of Microsoft IIS.
> >>  [...]
> >
> > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> > have SPNEGO built in, and can use the Kerberos in Active Directory.
> > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
> platform
> > see the about:config and the network.negotiate-auth.trusted-uris option.
> >
>
> The main (and probably only) drawback of this method is that is all
> about HTTP basic authentication, and most of applications only allow
> some kind of cookie based auth.
>
> You might want to look at PAPI (http://papi.rediris.es), it only
> provides Web SSO, but I think is enough for you. Allows multiple
> authentication backends, and although it is not packaged as default it
> is possible to use Kerberos (actually, I tested it successfully
> against a W3K domain controller).
> On the authentication server side, as far as I remember it forces you
> to use apache (but apache for Windows is OK).
> And regarding the application side, the IIS might be a problem, except
> if the code is PHP. But you can integrate it with Java (a tomcat
> filter at least).
>
> Hope this helps.
>
> Javier Palacios
>



More information about the Kerberos mailing list