Kerberos in Browser based Applications

Frank Gruellich frank.gruellich at
Tue Mar 3 12:47:16 EST 2009


I have set up a Kerberos realm.  A user and a service (let's say a
database) are both included as principals in KDC database and the
service restricts access to */dbuser at EXAMPLE.COM.  User and service can
communicate perfectly using a database CLI at the users machine.

Now these days CLIs aren't "state-of-the-art" anymore and $managers
refuse to use them.  Let's throw a long discussion and platform
independent, Web2.0 ready and more buzzwords into the pot and we get the
need for a browser based web frontend to the service.  And that's the
point where I do not get the full picture about Kerberos.

How would that work in a fully kerberized environment using all these
great features like single-sign-on and never transmitting a password
over the wire?  For sure, I would have to add the webserver to the KDC
database, but what then?  Would I add the webserver principal to the ACL
list of the service and add another authentication/authorization layer
into the web application?  Could I somehow forward the users ticket for
the service to the webserver and make the application to give it to the
service proving this way that the user requested access to the service?
That would keep all authentication on service side, but is it a good
idea to give a service ticket to another machine?  Would that even work
given that the users machine IP# is added to the tickets, AFAICS?

In the current setup the software involved are MIT Kerberos, an OpenLDAP
server as service, e.g. phpLDAPadmin as web application, Apache httpd
running it, and various browsers used to access it running on different
OS's.  But I'm more interested in the general Kerberos idea how to do
that.  However, if you point me to specific software I should use in
this setup I would be happy, too.

Thanks in advance for some enlightenment.

Kind regards,
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

More information about the Kerberos mailing list