On Jul 20, 8:52am, Rouiller Claude wrote: } Subject: RE: None (Microsoft KDC)
>> -----Original Message----- >> From: azimuth 1 [mailto:[EMAIL PROTECTED] >> Sent: Monday, July 19, 2004 12:48 PM >> To: [EMAIL PROTECTED] > >> In this white paper available at the address: >> www.microsoft.com/windows2000/ >> techinfo/howitworks/security/kerbint.asp. >> I concluded that a good alternative for a network using Active Directory >> >> Samy > I guess: If you use a non-Windows KDC, you'll have difficulties to > set up authorization for your Windows users. (I know MIT Kerberos > is not designed for authorization, but i try to be pragmatic). > > So, I think this is a fairly good approach. > Claude Actually we are trying to address the problem of Kerberos not having an implicit authorization model. Our design objective, in contrast to another major player... :-), was to do it in a manner which naturally leverages LDAP and Kerberos without requiring explicit changes to the KDC or the contents of the credentials. Once we have the basics up and running our roadmap is to implement a model where the service authorization instance identity is encoded in the service ticket. This simplifies authorization, particularly with respect to desktops, yet continues the model of providing a cryptographic guarantee on the integrity of the directory as a source of authorization information. WEB site in the signature has more details with updated code at the end of the week for anyone interested. Best wishes for a pleasant and productive day. }-- End of excerpt from Rouiller Claude As always, GW ------------------------------------------------------------------------------ The Hurderos Project Open Identity, Service and Authorization Management http://www.hurderos.org ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos