Re: Is Kerberos a good solution for web-single signon
Christopher Kranz wrote: [EMAIL PROTECTED] (paul b) wrote in message news:[EMAIL PROTECTED]... Hello, I am currently developping a web single signon-system and I am thinking about using Kerberos for this propose [snip] Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a reverse proxy? I was wondering the same thing. In fact I started a simular thread a little while ago. The short answer is no, not really. And the reason is, HTTP is a stateless protocol. You would need to generate a new authenticator for each and every connection. Kerberos kind of assumes that once a session is started the connection is persistant. There are two ways to go about this. The simplest is to let Apache act as a Kerberos client, accepting USER/PASS via HTTP/Basic authentication method. This is actually very bad for two reasons. Firstly, it uses HTTP/Basic authentication method between browser and web server. This method is unencrypted and without SSL (HTTPS), it will defeat one of the basic intentions of Kerberos - encrypted authentication. A much better way is to implement HTTP/SPNego authentication method. In that model, browser is a Kerberos client (with user's principal) and Apache or IIS is a Kerberos server (with server's principal), both authenticating against some Kerberos KDC (MIT KDC, MS ADS, Heimdal,...). For this you need both server and browser to be Kerberos aware. Apache has mod_negotiate, IIS on Win2k/2k3 should be ready, since it is on MS ADS. Of the browsers, IE 6 should be OK, also Mozilla 1.5/1.6 Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Is Kerberos a good solution for web-single signon
Other WebISO systems that might be of interest: a-select: http://a-select.surfnet.nl/ cas: http://www.yale.edu/tp/auth/ cosign: http://weblogin.org/ You should probably also see the WebISO (web initial sign-on) group at Internet2: http://middleware.internet2.edu/webiso/ I should admit that, as a co-author of cosign, I'm rather biased, but you really should look at all of these systems closely before choosing one and particularly before choosing to write yet another one. Kevin On Mar 12, 2004, at 7:58 PM, Christopher Kranz wrote: I was wondering the same thing. In fact I started a simular thread a little while ago. The short answer is no, not really. And the reason is, HTTP is a stateless protocol. You would need to generate a new authenticator for each and every connection. Kerberos kind of assumes that once a session is started the connection is persistant. See UWash's pubcookie (http://www.pubcookie.org/) or Stanford's WebAuth (http://webauthv3.stanford.edu/) for examples of WebISO solutions. ... In, as you say, the mud. ... Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Is Kerberos a good solution for web-single signon
[EMAIL PROTECTED] (paul b) wrote in message news:[EMAIL PROTECTED]... Hello, I am currently developping a web single signon-system and I am thinking about using Kerberos for this propose [snip] Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a reverse proxy? I was wondering the same thing. In fact I started a simular thread a little while ago. The short answer is no, not really. And the reason is, HTTP is a stateless protocol. You would need to generate a new authenticator for each and every connection. Kerberos kind of assumes that once a session is started the connection is persistant. See UWash's pubcookie (http://www.pubcookie.org/) or Stanford's WebAuth (http://webauthv3.stanford.edu/) for examples of WebISO solutions. Christopher Kranz [EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Is Kerberos a good solution for web-single signon
Hello, I am currently developping a web single signon-system and I am thinking about using Kerberos for this propose The goal is that a user has to identify itself once, using a X.509-certificate and that he has then access to a set of web-sites. In addition, I have an LDAP tree that could be used for managing the user rights. I am not at 100% familiar with Kerberos, so I dont know if my idea works: I wanted to authenticate the user on the first connection using their certificate. Based on the certificate, it should be possible to get the user's Kerberos(username, REALM and password) information from the LDAP-tree and pass this information to the Kerberos Authentication server in order to get a ticket. Is this scenario possible and if yes, will it be transparent to the user(the best would be to authenticate the user only with its certificate, but one password popup could be tolerable ;-)) and not to hard to implement. As I understood, users must login manually to the Kerberos-system using Linux commands like kinit,... and there is a lot of other command that have to be typed by the user. Is that really necessary or is it possible to automize this functions so that they are transparent to the user? Does kerberizing a web-site introduce big changes to the site itself, can I interface Kerberos with the original login-functions or how does this work?? Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a reverse proxy? Could I, in later stages, also interface Kerberos with an SAP-server, Citrix,... Thanx CB Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos