Hello All (and Happy New Year). <Background information> ... disregard as necessary!
As part of my final year studies at University, I'm comparing authentication systems, such as Kerberos, NIS, Liberty Alliance, MS Passport etc. in terms of their suitability for single-signon within a corporate environment spanning different domains. This, ultimately, [based on the result of the research] will lead to the development of a scalable authentication system for OS and Applications, or, a tool to manage the history of accounts possessed by employees throughout their employment to enable their swift deletion upon leaving the company. The reason why I am posting here is that my research is currently concentrating on Kerberos and examining its current uses. I have read some useful Kerberos documentation from Stanford University regarding the overview of the workings of Kerberos; as in the stages to obtain authentication, however, through searching through archives of Newsgroups and on Google, I can't find a simple overview which aids me explain the following two questions, I've posted them as the same post as I believe they are both related in some way: </Background Information> (1) The Ticket Granting Service and the Key Distribution Service: ============================================ In diagrammatic examples that I have found, these are shown as two separate entities. In practice, is this normally the same server running these services, or are they really two different machines? If they are two seperate machines, by what means do they communicate with each other? (2) Authentication ============================================ Am I correct in reading that the client host is authenticated rather than simply a user? One overview of the method I have read at .... http://web.mit.edu/kerberos/www/#what_is states that the "client" is authenticated - which, in most terminology means the host machine, rather than the "end user". Which is correct in terms of ???? If this is the case, RE: the local key that is kept by the client machine, can this be transferred to any machine that the user uses, or is this key registered to the machine that is being used? The reason for my confusion is that reading into the MS Passport documentation at http://www.microsoft.com/presspass/press/2001/sep01/09-20PassportFederationP R.asp states that it supports Kerberos, however, as per the above questioned definition of Client, how can Passport authenticate the same "user" on multiple machines without the use of this key? ============================================ I'm not after the answer on a plate (although it would be nice!), However, I'm more than prepared to follow some pointers to further research!! It's simply that I've been going around in circles attempting to find the solution to my problems. To be honest, I think I'm getting all my authentication methods confused since that's all I've been reading about for the last three months !!! Thanks in advance. Paul Lewis, University of the West of England, Bristol, UK. ========================================================== If personally replying, please decipher SPAM-preventing e-mail address as necessary.
