>I am interested in building a system (similar to Microsoft's .Net My >Services) that is a family of web services that clients authenticate >against using Kerberos. The idea is to have clients hit the KDC via >SOAP calls over SSL and get the ticket. Then they ask the KDC for a >ticket to communicate with a specific web service. Once I have that, I >should be able to encrypt all SOAP messages to the web service and >just pass the username.
I believe Sam Hartman already pointed out that generating a new network protocol to communicate with the KDC is a Really Bad Idea. In general, that part of Kerberos is supposed to be invisible to you. You could do that (I believe you said you wanted to avoid firewalls), but you would be making yourself not interoperate with all of the existing code that's already out there. >But this doesn't seem to fit into the idea of how Kerberos >authentication works. Is anyone doing Kerberos authentication via SOAP >calls? What do people recommend for an authentication mechanism for a >family of web services? If you mean, "Is anyone using SOAP as a Kerberos client/KDC communication protocol", the answer is likely no. If you're asking if anyone is using Kerberos to authenticate a SOAP-based protocol ... I don't know. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
