noob question on where to start with Kerberos

Michael B Allen ioplex at
Mon Jul 27 19:00:11 EDT 2009

On Mon, Jul 27, 2009 at 6:07 PM, Bryan Boone<bryan-boone at> wrote:
> Hi everyone I have a noob question for ya.
> I need to develop a website for a company that uses kerberos login, the web server resides on a different server than the kerberos server.  Unfortunatly I cannot use the built in PHP functions for kerberos, so I need to write my own C kerberos client as a PHP extension.

Hi Bryan,

You don't need a full-blown kerberos client. For SSO you just need an
"accept_sec_context" function that consumes the base64 encoded tokens
supplied by the browser and emits base64 encoded tokens to send to the
browser. This function would largely call GSSAPI's
gss_accept_sec_context or Windows' AcceptSecurityContext. For explicit
username / password based logins you just need to call

However, it sounds like you're using Apache in which case there are
already a few modules that do GSSAPI authentication. In particular
there's mod_auth_kerb.

You also mention PHP in which case check out which does everything you want and
a whole lot more.

> Also to eliminate possible man-in-the-middle attacks, I need to have the keytab file manually uploaded to the web server.

The keytab is required to participate in any form of Kerberos
authentication. By MITM I believe you're referring to validating the
client supplied ticket. There's a verify-something-or-other function
in the krb5 API for this. I don't recall the name of it. Someone else
will probably chime in with the name of it. I don't know if
mod_auth_kerb does explicit logins using krb5_get_init_creds_password.

> My question is, what methods are best for accomplishing my task.  Can this be accomplished with the pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI?  Which one would be easier for a noob?

There are two methods. There is the explicit username and password
based login as I mentioned which would require using
krb5_get_init_creds_password or on Windows I believe you would have to
do InitSecurityContext and AcceptSecurityContext in a loop (is there a
short cut for this?). But there is also something called SPNEGO (which
IE and MS call "Negotiate"). SPNEGO is a Single Sign-On (SSO) form of
authentication which ultimately means that, with a properly configured
browser, the user goes straight in without entering a password at all.
On corporate intranets this is a highly desirable feature.

You do not want to do anything with PAM or SASL.


Michael B Allen
Java Active Directory Integration

More information about the Kerberos mailing list