Christopher D. Clausen cclausen at
Thu Jul 17 21:52:04 EDT 2008

Michael B Allen <ioplex at> wrote:
> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <rra at>
> wrote:
>>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are
>>> going to perform better.
>> If by "better" you mean "pretty much the same," yes, modulo the
>> configuration note that I mentioned.
> No, I definitely meant "better".
> With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
> token and get a TGT.
> With something like WebAuth, the client is redirected to a central
> server, then you have to do all of the above (or an explicit login
> which is more stuff) and then redirect the client back to the original
> target (and this doesn't include getting a TGT on the target server).

That is the whole point.  NOT sending authentication infor directly to 
the server and instead using a central auth server is a FEATURE.

> With Plexcel we can do SPNEGO, check group membership (we extract the
> group SIDs from the PAC), app-level access to basic user info and a
> get TGT without talking to a third party at all. The time between the
> initial HTTP request and the 200 response is less than 20 ms (or ~50
> ms if the user is in a few hundred groups).

The whole point of the central server is to keep end-users from typing 
passwords in at all the other random webservers.  The speed does not 
matter.  The point is that those hosting the server are not to be 
trusted with the end user passwords and the central server solves this 
problem.  This is why things like Bluestem were developed:

And the central solutions can optionally add user group data from LDAP / 
AD / whatever.


More information about the Kerberos mailing list