Kerberos in Browser based Applications

Thomas Hardjono hardjono at MIT.EDU
Wed Mar 4 12:00:29 EST 2009


Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a number
of challenges.  I'm not sure if the browsers today fully support the
trafficking of Kerberos tickets/tokens. The closest seems to be
HPPT-Negotiate, but I believe it also need more work. There are a set of
drafts in the IETF that are trying to address some of these issues. Then
there is the question of how to get all this working with the Identity
Federation infrastructures.

ps. Kerb-on-the-web is one of the initiatives at the MIT-KC.



> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Frank Gruellich
> Sent: Tuesday, March 03, 2009 12:47 PM
> To: kerberos at MIT.EDU
> Subject: Kerberos in Browser based Applications
> Hi,
> I have set up a Kerberos realm.  A user and a service (let's say a
> database) are both included as principals in KDC database and the
> service restricts access to */dbuser at EXAMPLE.COM.  User and service can
> communicate perfectly using a database CLI at the users machine.
> Now these days CLIs aren't "state-of-the-art" anymore and $managers
> refuse to use them.  Let's throw a long discussion and platform
> independent, Web2.0 ready and more buzzwords into the pot and we get the
> need for a browser based web frontend to the service.  And that's the
> point where I do not get the full picture about Kerberos.
> How would that work in a fully kerberized environment using all these
> great features like single-sign-on and never transmitting a password
> over the wire?  For sure, I would have to add the webserver to the KDC
> database, but what then?  Would I add the webserver principal to the ACL
> list of the service and add another authentication/authorization layer
> into the web application?  Could I somehow forward the users ticket for
> the service to the webserver and make the application to give it to the
> service proving this way that the user requested access to the service?
> That would keep all authentication on service side, but is it a good
> idea to give a service ticket to another machine?  Would that even work
> given that the users machine IP# is added to the tickets, AFAICS?
> In the current setup the software involved are MIT Kerberos, an OpenLDAP
> server as service, e.g. phpLDAPadmin as web application, Apache httpd
> running it, and various browsers used to access it running on different
> OS's.  But I'm more interested in the general Kerberos idea how to do
> that.  However, if you point me to specific software I should use in
> this setup I would be happy, too.
> Thanks in advance for some enlightenment.
> Kind regards,
> --
> Navteq (DE) GmbH
> Frank Gruellich
> Map24 Systems and Networks
> Duesseldorfer Strasse 40a
> 65760 Eschborn
> Germany
> Phone:      +49 6196 77756-414
> Fax:        +49 6196 77756-100
> USt-ID-No.: DE 197947163
> Managing Directors: Thomas Golob, Alexander Wiegand,
> Hans Pieter Gieszen, Martin Robert Stockman
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list