RE: [fw-wiz] LDAP and Kerberos?

From: Christopher Hicks (
Date: 09/20/04

  • Next message: Chris Pugrud: "[fw-wiz] The Mathematics of Relative Security"
    To: Firewall Wizards Mailing List <>, "Melson, Paul" <>
    Date: Mon, 20 Sep 2004 12:27:14 -0400 (EDT)

    On Mon, 20 Sep 2004, Melson, Paul wrote:
    >> -----Original Message-----
    >> On Mon, 20 Sep 2004, Melson, Paul wrote:
    >>> I'm not sure you've given enough information about your back end
    >>> architecture to say for sure,
    >> I'm not sure what else to say about the architecture. I'll
    >> be happy to answer any questions though.
    > Specifically, what else besides the web application will you be
    > authenticating? How many users? If the primary goal of this directory
    > is to provide authentication for this web app. plus maybe admin
    > services, then Kerberos is a waste of time since it's not compatible
    > with the web app.

    About 200 users currently. The LDAP server will be used for
    authenticating a handful of web apps (one of which is bugzilla and several
    others we've written in house), autenticating Linux/UNIX shell users
    across a dozen boxes, and supporting distributing authoritative sendmail
    across an array of three boxes widely geographically distributed. So,
    kerberos gets me nothing for sendmail or bugzilla as far as I know. I'm
    sure the Linux login piece could be kerberized, but since the primary
    login method for 98% of the users is across the web there's not going to
    be any useful single logon. Oh, I do want to do samba through LDAP at
    some point.

    > The advantage of mutual authentication is that it prevents playback
    > spoofing and man-in-the-middle attacks. It's designed to make it
    > difficult for a third system to get access to services by eavesdropping
    > or otherwise intercepting or interfering with the authentication
    > process.

    Ah, so I can setup my own CA and accomplish most of the same thing. I see
    now. Thank you.

    There are two ways of constructing a software design. One way is to make 
    it so simple that there are obviously no deficiencies. And the other way 
    is to make it so complicated that there are no obvious deficiencies.
      -- C.A.R. Hoare
    firewall-wizards mailing list

  • Next message: Chris Pugrud: "[fw-wiz] The Mathematics of Relative Security"

    Relevant Pages

    • Re: How can i get the AD acount and password
      ... your web app should be authenticating the user through windows ... and the password in .net Web app? ...
    • Re: Passing credentials to web app
      ... I want users to launch the web app out of SharePoint, ... and I want their credentials to be sent to the web app so it can know ... I guess it depends on how you're authenticating your SharePoint users, ...
    • Re: Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
      ... Web App A is a WSE3 client of Web App B. ... As for the kerberos authentication issue you mentioned in this issue, ... think it is likely due to some configuration issue. ... have you installed the WSE 3.0's sdk samples? ...
    • Re: Kerberos Rant
      ... I guess Kerberos is no good for what I need then. ... AD, and because of this requirement for Windows login, the Active Directory ... I am completely unable to get Windows clients authenticating against ...
    • Re: kerberos / spnego
      ... I have attempted kerberos for SSO for web app using spring-security and have doubts. ... Most browsers need some configuration tweaks to enable SPENGO, ... a valid keytab and support for SPENGO, it should never need to talk to the KDC. ...