Re: kerberos and web-single signon, a good solution??
From: Thomas Vincent (thomasv_at_mac.com)
Date: 11 Mar 2004 20:14:10 -0800
firstname.lastname@example.org (paul b) wrote in message news:<email@example.com>...
> I am currently developping a "web single signon"-system and I am
> thinking about using Kerberos for this propose
This article at Oreilly's Onlamp.com might help:
> The goal is that a user has to identify itself once, using a
> X.509-certificate and that he has then access to a set of web-sites.
> In addition, I have an LDAP tree that could be used for managing the
> user rights.
x.509 has nothing to do with Kerberos. x.509 relates to PKI.
> I am not at 100% familiar with Kerberos, so I dont know if my idea
> I wanted to authenticate the user on the first connection using their
> certificate. Based on the certificate, it should be possible to get
> the user's Kerberos(username, REALM and password) information from the
> LDAP-tree and pass this information to the Kerberos Authentication
> server in order to get a ticket.
Sorry, I don't think this would work. Kerberos doesn't use x.509
certs. You are better off using http://modauthkerb.sourceforge.net and
authenticating directly against the KDC. Otherwise just use a straight
PKI implimentation using x.509 certs.
> Is this scenario possible and if yes, will it be transparent to the
> user(the best would be to authenticate the user only with its
> certificate, but one password popup could be tolerable ;-)) and not to
> hard to implement.
This scenario is not possible.
> As I understood, users must login manually to the Kerberos-system
> using Linux commands like "kinit",... and there is a lot of other
> command that have to be typed by the user. Is that really necessary or
> is it possible to "automize" this functions so that they are
> transparent to the user?
Following the Oreilly article and reading the docs for
http://modauthkerb.sourceforge.net/ you should be able to make it
transparent from a web perspective.
> Does kerberizing a web-site introduce big changes to the site itself,
> can I interface Kerberos with the original login-functions or how does
> this work??
No, but keberizing the rest of the architecture does.
> Perhaps someone can tell me if Kerberos is really a good solution for
> web-single signon(and fully transparent to end-users) or if there are
> more simple possiblities like for example installing a "reverse
Generally when people use Kerberos it is because they have a existing
Kerberos infrastructure they are trying to preserve. MIT, and CMU are
great examples of this.
If you don't, and you just want to have single-sign on for web use
x.509. If you want to include CLI tools and the such then use
> Could I, in later stages, also interface Kerberos with an SAP-server,
SAP, and Citrix I am pretty sure use Active Directory which uses a
form of Kerberos and LDAP. Otherwise they have had to been written to
use Kerberos. You can't just slap it on.
I would suggest you pick up Oreilly's Kerberos book (
Second, I would consider subscribing to the Kerberos mailing lists if
you are interested in Kerberos. They can give you a much more detailed
Remember, PKI and Kerberos are not something you can just slap on.
Tools have to be written to support them in the first place.
MACSec InfoSec news