Michael B Allen ioplex at
Thu Jul 17 14:25:16 EDT 2008

On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai <ssdesai1 at> wrote:
> Hello,
> Thanks for your responses.
>> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
>> have SPNEGO built in, and can use the Kerberos in Active Directory.
>> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
> platform
>> see the about:config and the network.negotiate-auth.trusted-uris option.
> I would have definitely considered this, but the group that I am working
> with does not want to include AD in any solution.
> Also, (I'm not sure how familiar people are with Cosign) since Cosign
> transforms Kerberos authentication to a cookie-based authentication which
> the browsers can use, I was wondering if you have had any experience with
> this.

When trying to determine the right SSO solution for your web
applications, it is important to realize that the mode of operation
behind solutions that call themselves "SSO" varies tremendously so you
really need to carefully state your requirements.

For example, you mentioned WebAuth and CoSign. Both of these solutions
are really targeted for highly heterogeneous environments like
University networks where the only client requirement is that the
browser support cookies. So it works on the IntrAnet, the IntErnet, on
a hostile dormitory network, a kiosk at the airport, ...etc. But if
you don't have those requirements these solutions do have quite a bit
of overhead with all the redirecting and, more important, they do not
give you true single-sign-on behavior. They're more like "double sign
on" because you have to login to a central server and they get
redirected back to the target site.

Then you have "SSO" solutions like OpenID which are really more like
"triple sign on" since you have to login to your workstation, then to
the OpenID service and then put in the OpenID service you're using at
the target site. This scenario is really only for the IntErnet where
there is no chance of the client and service being members of the same

For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or
NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and
others are the only true *Single* Sign On solutions where the clients
existing credentials are used to transparently authenticate without
requiring the user to enter a password. These use either the original
WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw
Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either
NTLMSSP or Kerberos 5).


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list