Thanks for your help ... I'll research this further ... Regards,
Paul, ""Booker C. Bense"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > On Tue, 1 Jan 2002, Mug-O-Milk wrote: > > > Hello All (and Happy New Year). > > > > <Background information> ... disregard as necessary! > > > > As part of my final year studies at University, I'm comparing authentication > > systems, such as Kerberos, NIS, Liberty Alliance, MS Passport etc. in terms > > of their suitability for single-signon within a corporate environment > > spanning different domains. > > > > - I'm feeling generous today so I'll answer your questions. > > > > > </Background Information> > > > > (1) The Ticket Granting Service and the Key Distribution Service: > > ============================================ > > In diagrammatic examples that I have found, these are shown as two separate > > entities. In practice, is this normally the same server running these > > services, or are they really two different machines? If they are two > > seperate machines, by what means do they communicate with each other? > > - In theory, they could be two different machines, but in practice > there are always a process on a single machine. There is > no communication needed between the KDS and TGS. In general kerberos > "servers" don't need to talk to the KDC. > > > > > > > (2) Authentication > > ============================================ > > Am I correct in reading that the client host is authenticated rather than > > simply a user? > > - No. The only thing ever authenticated is a principal, the mapping > from principals to other kinds of things is up to the underlying > OS. > > > One overview of the method I have read at .... > > http://web.mit.edu/kerberos/www/#what_is states that the "client" is > > authenticated - which, in most terminology means the host machine, rather > > than the "end user". Which is correct in terms of ???? > > - All these definitions are muddled. The most useful way to think > about it that I've found is to think in terms of unix processes. > Kerberos is a way for a process on one machine to authenticate > to another process over the network. What it does is prove that > the process has access to the credentials of a given principal. > > - The mapping from principals to any other kind of id form is > up to the underlying OS and kerberos libraries. > > > > > If this is the case, RE: the local key that is kept by the client machine, > > can this be transferred to any machine that the user uses, or is this key > > registered to the machine that is being used? > > > > - If you ask for the right kind of credentials you can move them from > machine to machine. It's called a forwardable ticket. > > > - Booker C. Bense >
