Re: kerberos and web-single signon, a good solution??

From: Thomas Vincent (
Date: 03/12/04

Date: 11 Mar 2004 20:14:10 -0800 (paul b) wrote in message news:<>...
> Hello,
> I am currently developping a "web single signon"-system and I am
> thinking about using Kerberos for this propose

This article at Oreilly's might help:

> The goal is that a user has to identify itself once, using a
> X.509-certificate and that he has then access to a set of web-sites.
> In addition, I have an LDAP tree that could be used for managing the
> user rights.

x.509 has nothing to do with Kerberos. x.509 relates to PKI.

> I am not at 100% familiar with Kerberos, so I dont know if my idea
> works:
> I wanted to authenticate the user on the first connection using their
> certificate. Based on the certificate, it should be possible to get
> the user's Kerberos(username, REALM and password) information from the
> LDAP-tree and pass this information to the Kerberos Authentication
> server in order to get a ticket.

Sorry, I don't think this would work. Kerberos doesn't use x.509
certs. You are better off using and
authenticating directly against the KDC. Otherwise just use a straight
PKI implimentation using x.509 certs.

> Is this scenario possible and if yes, will it be transparent to the
> user(the best would be to authenticate the user only with its
> certificate, but one password popup could be tolerable ;-)) and not to
> hard to implement.

This scenario is not possible.

> As I understood, users must login manually to the Kerberos-system
> using Linux commands like "kinit",... and there is a lot of other
> command that have to be typed by the user. Is that really necessary or
> is it possible to "automize" this functions so that they are
> transparent to the user?

Following the Oreilly article and reading the docs for you should be able to make it
transparent from a web perspective.

> Does kerberizing a web-site introduce big changes to the site itself,
> can I interface Kerberos with the original login-functions or how does
> this work??

No, but keberizing the rest of the architecture does.

> Perhaps someone can tell me if Kerberos is really a good solution for
> web-single signon(and fully transparent to end-users) or if there are
> more simple possiblities like for example installing a "reverse
> proxy"?

Generally when people use Kerberos it is because they have a existing
Kerberos infrastructure they are trying to preserve. MIT, and CMU are
great examples of this.
If you don't, and you just want to have single-sign on for web use
x.509. If you want to include CLI tools and the such then use

> Could I, in later stages, also interface Kerberos with an SAP-server,
> Citrix,...

SAP, and Citrix I am pretty sure use Active Directory which uses a
form of Kerberos and LDAP. Otherwise they have had to been written to
use Kerberos. You can't just slap it on.

I would suggest you pick up Oreilly's Kerberos book (

Second, I would consider subscribing to the Kerberos mailing lists if
you are interested in Kerberos. They can give you a much more detailed

Remember, PKI and Kerberos are not something you can just slap on.
Tools have to be written to support them in the first place.

MACSec InfoSec news