[EMAIL PROTECTED] (paul b) wrote in message news:<[EMAIL PROTECTED]>...
[snip]Hello, I am currently developping a "web single signon"-system and I am thinking about using Kerberos for this propose
Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a "reverse proxy"?
I was wondering the same thing. In fact I started a simular thread a
little while ago. The short answer is no, not really. And the reason
is, HTTP is a stateless protocol. You would need to generate a new
authenticator for each and every connection. Kerberos kind of assumes
that once a session is started the connection is persistant.
There are two ways to go about this. The simplest is to let Apache act as a Kerberos client, accepting USER/PASS via HTTP/Basic authentication method. This is actually very bad for two reasons. Firstly, it uses HTTP/Basic authentication method between browser and web server. This method is unencrypted and without SSL (HTTPS), it will defeat one of the basic intentions of Kerberos - encrypted authentication.
A much better way is to implement HTTP/SPNego authentication method. In that model, browser is a Kerberos client (with user's principal) and Apache or IIS is a Kerberos server (with server's principal), both authenticating against some Kerberos KDC (MIT KDC, MS ADS, Heimdal,...). For this you need both server and browser to be "Kerberos aware". Apache has "mod_negotiate", IIS on Win2k/2k3 should be ready, since it is on MS ADS. Of the browsers, IE 6 should be OK, also Mozilla 1.5/1.6
Nix. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
