Hello, I am currently developping a "web single signon"-system and I am thinking about using Kerberos for this propose
The goal is that a user has to identify itself once, using a X.509-certificate and that he has then access to a set of web-sites. In addition, I have an LDAP tree that could be used for managing the user rights. I am not at 100% familiar with Kerberos, so I dont know if my idea works: I wanted to authenticate the user on the first connection using their certificate. Based on the certificate, it should be possible to get the user's Kerberos(username, REALM and password) information from the LDAP-tree and pass this information to the Kerberos Authentication server in order to get a ticket. Is this scenario possible and if yes, will it be transparent to the user(the best would be to authenticate the user only with its certificate, but one password popup could be tolerable ;-)) and not to hard to implement. As I understood, users must login manually to the Kerberos-system using Linux commands like "kinit",... and there is a lot of other command that have to be typed by the user. Is that really necessary or is it possible to "automize" this functions so that they are transparent to the user? Does kerberizing a web-site introduce big changes to the site itself, can I interface Kerberos with the original login-functions or how does this work?? Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a "reverse proxy"? Could I, in later stages, also interface Kerberos with an SAP-server, Citrix,... Thanx CB ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos