On Wed, 20 Sep 2006 16:35:52 +0300 "Ilan Frenkel" <[EMAIL PROTECTED]> wrote:
> Hi, > > > > Has anyone used Kerberos in Windows 2000\2003 server environment? Yes, "Active Directory" is basically a KDC and an LDAP server. > Is it possible to retrieve group information from Active Directory when > doing Kerberos authentication to W2K or Windows 2003? Technically, yes. In practice, it's non-trivial. Tickets issued by Active Directory have group information buiried in the authorization-data field but it is not easily accessible and even if you do get it out it's basically a list of numbers which isn't useful in itself. The ideal solution is to get the RIDs from the Kerberos ticket and use DCE/RPC to lookup any names you use in your config, within scripts, etc. This is what our PlexSSO product does (see sig). > With LDAP and NTLM it is possible to retrieve group membership information. Technically, yes. In practice, it's not adequate. Doing proper group expansion would require recursive queries and possibly referrals. Then you have to cache and compare large amounts of strings. You can easily make something look like it's working in a small environment but it's unlikely to be correct and it doesn't scale. Also, NTLM is not ideal for Web SSO as it requires communication with the domain controller and multiple messages to authenticate. Kebreros is much better. Same LDAP limitations described above apply to both though. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
