Re: SSO - Kerberos

This is a discussion on Re: SSO - Kerberos ; Hello, Thanks for your responses. > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS > have SPNEGO built in, and can use the Kerberos in Active Directory. > Apache can use mod_auth_kerb that supports SPNEGO. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: SSO

  1. Re: SSO

    Hello,

    Thanks for your responses.

    > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
    > have SPNEGO built in, and can use the Kerberos in Active Directory.
    > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any

    platform
    > see the about:config and the network.negotiate-auth.trusted-uris option.


    I would have definitely considered this, but the group that I am working
    with does not want to include AD in any solution.

    Also, (I'm not sure how familiar people are with Cosign) since Cosign
    transforms Kerberos authentication to a cookie-based authentication which
    the browsers can use, I was wondering if you have had any experience with
    this.

    Thanks again.




    On 7/17/08, Javier Palacios wrote:
    >
    > >> I wanted to use Kerberos to authenticate the user. After research, I
    > >> thought this would make sense. I saw some suggestions using CoSign or
    > >> WebAuth. I can't use WebAuth because it is only for Linux, and CoSign

    > is
    > >> written for Apache (but there are ISAPI filters i guess for IIS) and I

    > am
    > >> running off of Microsoft IIS.
    > >> [...]

    > >
    > > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
    > > have SPNEGO built in, and can use the Kerberos in Active Directory.
    > > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any

    > platform
    > > see the about:config and the network.negotiate-auth.trusted-uris option.
    > >

    >
    > The main (and probably only) drawback of this method is that is all
    > about HTTP basic authentication, and most of applications only allow
    > some kind of cookie based auth.
    >
    > You might want to look at PAPI (http://papi.rediris.es), it only
    > provides Web SSO, but I think is enough for you. Allows multiple
    > authentication backends, and although it is not packaged as default it
    > is possible to use Kerberos (actually, I tested it successfully
    > against a W3K domain controller).
    > On the authentication server side, as far as I remember it forces you
    > to use apache (but apache for Windows is OK).
    > And regarding the application side, the IIS might be a problem, except
    > if the code is PHP. But you can integrate it with Java (a tomcat
    > filter at least).
    >
    > Hope this helps.
    >
    > Javier Palacios
    >


  2. Re: SSO

    Sharad Desai wrote:
    >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
    >> have SPNEGO built in, and can use the Kerberos in Active Directory.
    >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
    >> platform
    >> see the about:config and the network.negotiate-auth.trusted-uris option.

    >
    > I would have definitely considered this, but the group that I am working
    > with does not want to include AD in any solution.


    It works with any Kerberos KDC.

    I'm using CAS (http://www.ja-sig.org/products/cas/) for SPNEGO/Kerberos
    with fall-back to LDAP bind.

    Ciao, Michael.

+ Reply to Thread