Kerberos and Group membership - Kerberos

This is a discussion on Kerberos and Group membership - Kerberos ; Hi, Has anyone used Kerberos in Windows 2000\2003 server environment? Is it possible to retrieve group information from Active Directory when doing Kerberos authentication to W2K or Windows 2003? With LDAP and NTLM it is possible to retrieve group membership ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos and Group membership

  1. Kerberos and Group membership

    Hi,



    Has anyone used Kerberos in Windows 2000\2003 server environment?



    Is it possible to retrieve group information from Active Directory when
    doing Kerberos authentication to W2K or Windows 2003?

    With LDAP and NTLM it is possible to retrieve group membership information.



    Thanks,



    Ilan

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos and Group membership

    On Wed, 20 Sep 2006 16:35:52 +0300
    "Ilan Frenkel" wrote:

    > Hi,
    >
    >
    >
    > Has anyone used Kerberos in Windows 2000\2003 server environment?


    Yes, "Active Directory" is basically a KDC and an LDAP server.

    > Is it possible to retrieve group information from Active Directory when
    > doing Kerberos authentication to W2K or Windows 2003?


    Technically, yes. In practice, it's non-trivial.

    Tickets issued by Active Directory have group information buiried in
    the authorization-data field but it is not easily accessible and even
    if you do get it out it's basically a list of numbers which isn't useful
    in itself.

    The ideal solution is to get the RIDs from the Kerberos ticket and use
    DCE/RPC to lookup any names you use in your config, within scripts,
    etc. This is what our PlexSSO product does (see sig).

    > With LDAP and NTLM it is possible to retrieve group membership information.


    Technically, yes. In practice, it's not adequate. Doing proper group
    expansion would require recursive queries and possibly referrals. Then
    you have to cache and compare large amounts of strings. You can easily
    make something look like it's working in a small environment but it's
    unlikely to be correct and it doesn't scale.

    Also, NTLM is not ideal for Web SSO as it requires communication with
    the domain controller and multiple messages to authenticate. Kebreros is
    much better. Same LDAP limitations described above apply to both though.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread