I'm curious what other sites are doing for http authentication using Kerberos. There have been various projects in the past, but none have been the perfect solution (kerberos built into the browsers).
We've been using Sidecar here at dartmouth, but are running into more and more users who are behind firewalls or NAT, or unable to install the kerberos software. There are various other solutions, the ones's I've found are listed below: - The proxy method: a web server that acts as the kerberos proxy and holds the tickets, and then hands out cookies or certificates to the browsers - Sidecar: a seperate application on the client that listens for incoming connections from the server to pass back the kerberos ticket. There are some security concerns with this on mutli-user systems like Unix and Mac OS X, no one has written a sidecar version that is save for multiuser machines. - Project Minotaur: A CMU project that uses the plugin architecture of MSIE and Netscape and java/javascript to handle the kerberos side of authentication for the browser. <http://asg.web.cmu.edu/minotaur/index.html> - There seems to be a draft spec on using kerberos for SSL authentication, but I haven't found any evidence that any of the software exists or is in use. <http://www.ornl.gov/~jar/HowToKerb.html#Auth> Are there any other ideas in use out there that I haven't listed? We're trying to figure out what we want to do as we go forward, and are looking for what other institutions are using. Steve Cochran Dartmouth College
