Further Infomations

Robert Wehn robert.wehn at rz.uni-augsburg.de
Mon Dec 16 07:01:09 EST 2013

Am 09.12.2013 10:09, schrieb Pierre Hennebois:
> I develop an extranet for a school (Saint Joseph Toulouse, in France). 
> I want that users may need to authenticate only once, because I have
> several web applications which need an authentication.
> I have three Active Directory (Windows 2003 and 2008) for different
> classes of users.
> The extranet is a Joomla! website, on a Linux Debian server. The other
> applications are on the same server.
> I understand that:
> -          Kerberos can have several ADs.
> -          It is possible to authenticate only once in local, when users
> are on a computer that is in the domain, isn't it ?
- Yes it is. The application (internet explorer, firefox etc) hast to be
configured to try Kerberos Authentication
  (may be the case by default, depending on Version)
- Make one Kerberos Realm trust users from Other Realms
  => As this Kerberos (eg AD 1) trusts AD2 and AD3 users, it should be
the one
     on which it is no security issue that the users from AD2 and AD3
are in principle
     allowed to log in to computers in AD1, or you make a MIT Kerberos
REALM that trusts
     all 3 ADs
  => Configure the Clients to know about that Trust:
     - ksetup.exe or GPO to let them know about the other Realms
     - "host-to-realm! mapping or TXT records in DNS
- You have to make a "keytab file" (Kerberos idetity and "password" file
for the web server) in this Kerberos Realm
  (http/servernname-fqdn at MYREALM.COM)
- configure your web server to use the kerberos authentication with the
keytab by default
> But if users want to connect to the extranet from their home, does
> Kerberos make an error ? And block the manual authentication ?
This can be done, if your Web Server can handle that fallback to
username and password:
We have an apache in an MIT Kerberos realm configured that way:
- if you have a kerberized linux system an log in as a kerberos user,
you can
  access by firefox without password
- if you have a different computer, you are prompted for a password.
  => remember: as you habe severals REALM the Users will have to give
     user AND realm to login, e.g username at REALM instead of only username.
     Users from one "Default Realm" can authenticate useing only
username and password
> If Kerberos cannot authenticate users as they are at home:
> -          Do they can authenticate themselves on the extranet and
> Kerberos works with this authentication and authenticate the users for
> the other applications ?
this would also be possible, either by logging in to some Windows or
Linux machine by RDP or sth like that, or (very complicated, as it has
to be configureed locally) using Kerberos at home...
> -          Or users had to authenticate themselves once per applications
> ?
If you do it with the easy way directly by the Web Server's fallback (A)
this may be necessary, if you use (B) then it's as in your shool: Login
once and access everywhere.
> Thank you for your future answers,

Greetings, Robert.

> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list