Oliver Baltz wrote:
Only if you use Microsoft IIS and Microsoft IE browser. They have integrated*** post for FREE via your newsreader at post.newsfeed.com ***Hi there, I hope someone is ready to answer me some "beginner" questions :-) I just start asking... 1. Is Kerberos suitable for securing WebSites? (Background: Single sign-on for web-based applications on different domains using different technologies like PHP, JSP, ... They're all under a common administrative control)
a unique method for doing Kerberos authentication using GSSAPI and SPNEGO.
They did publish an IETF draft describing the method and so, theoretically,
someone could implement the same stuff in Apache and Mozilla, but noone
has yet done so. If you really want to use Kerberos for Web SSO, you
probably need to go with Microsoft Active Directory, IIS, and IE.
The security history of IIS and IE is well documented, so choose wisely :)
2. If so, which browsers respectively operating systems do support kerberos-enabled WebSites? Can Kerberos-support for webSites be installed afterwards?
see above.
This sounds like you are asking for "authorization" information, which is2. Is it possible to use a LDAP directory server to store each user's access rights, and let the ticket granting server use LDAP to decide whether it grants a ticket or not?
distinctly different from Authentication (which Kerberos provides).
Your servers can be coded to use whatever they like to do the authorization
checking, including LDAP lookups of some sort. Its beyond the scope
of the KDC to decide whether or not a user should have access to a particular
service. The KDC simply manages keys and issues tickets, it does not
perform the authorization checking for the kerberized services for which it
issues tickets.
3. Are there any commercial implementations supporting all of that?
Windows 2000/XP Active Directory, IIS, IE all together might provide some of what you are asking for, but perhaps not everything you want. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
