Simon Wilkinson simon at
Fri Jul 18 05:28:35 EDT 2008

On 18 Jul 2008, at 06:57, Russ Allbery wrote:

> "Michael B Allen" <ioplex at> writes:
>> If you read the whole thread you'd know I'm only talking about the
>> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at  
>> all
>> whereas with WebAuth you might need to.
> You're making a bogus comparison.

Russ has pretty much covered the ground here, but I thought I should  
make some comments from our (Cosign based) perspective.

SPNEGO is great in an all Windows environment, where you absolutely  
control every client that's authenticating to your system. It breaks  
down as soon as you add machines which are only loosely under your  
management control. As well as requiring that all clients have a  
properly configured Kerberos client, using SPNEGO with Firefox also  
requires browser configuration, which has to happen for every site  
that users may access, or delegate credentials to, and for every user.

The failure mode for SPNEGO also isn't particularly elegant. If you  
can't do SPNEGO, you can either reject the user, or prompt them for a  
username and password, for every one of your sites that they visit.  
Getting your users used to entering login details every time they  
visit any website is a sure fire way to encourage social engineering  
attacks. Having every server on your network accepting passwords also  
opens you up to attacks on those servers, and severely complicates  
your trust model.

The advantage of a WebSSO system like Cosign or WebAuth is that all  
of this configuration, and fallback, is handled at a single location  
which greatly simplifies management, both of services (which only  
need to know how to talk to your Web SSO system), and clients (which  
only need to be set up to do SPNEGO with your Web SSO login host, if  
at all). Whether you're actually doing _single_ signon at this point  
does rear its head (and in the past, I've been pretty rude about web  
double signon solutions), but with something like either Cosign or  
Webauth you can easily configure other authentication mechanisms in  
front of your web login server, and provide single signon for users  
whose systems support it, without affecting the experience of those  
users who are on systems that don't.

The issue isn't whether _most_ of your clients will support SPNEGO,  
but whether they all will. As soon as you have to add non-SPNEGO  
support, even if that's just to cater for a small number of clients,  
you've lost.

> (Cosign I think requires the ticket cache on
> the central login server, so does introduce the twist of delegation.)

Cosign doesn't require the ticket cache. In fact, if you don't care  
about delegation, you can use Cosign with any authentication source,  
not just Kerberos. Of course, if you don't have a ticket cache, you  
can't delegate credentials to services.

We spent a while looking at different login mechanisms, including  
using purely browser based ones such as kx509 and SPENGO. The only  
way we could see of achieving a reasonable level of both security and  
usability was to deploy a WebSSO solution.

The only fly in the ointment here is that none of the WebSSO  
solutions currently available can handle authenticating POST  
requests, where the user hasn't previously authenticated to the  
service, due to their requirement for redirects. For us, this was a  
small price to pay.


More information about the Kerberos mailing list