[30104] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Sharad Desai)
Thu Jul 17 11:02:27 2008
Message-ID: <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com>
Date: Thu, 17 Jul 2008 11:01:02 -0400
From: "Sharad Desai" <ssdesai1@gmail.com>
To: "Javier Palacios" <javiplx@gmail.com>
In-Reply-To: <a64bf030807170755x6f2c9757t6dc0bada3e10ae30@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
Thanks for your responses.
> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> have SPNEGO built in, and can use the Kerberos in Active Directory.
> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
> see the about:config and the network.negotiate-auth.trusted-uris option.
I would have definitely considered this, but the group that I am working
with does not want to include AD in any solution.
Also, (I'm not sure how familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.
Thanks again.
On 7/17/08, Javier Palacios <javiplx@gmail.com> wrote:
>
> >> I wanted to use Kerberos to authenticate the user. After research, I
> >> thought this would make sense. I saw some suggestions using CoSign or
> >> WebAuth. I can't use WebAuth because it is only for Linux, and CoSign
> is
> >> written for Apache (but there are ISAPI filters i guess for IIS) and I
> am
> >> running off of Microsoft IIS.
> >> [...]
> >
> > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> > have SPNEGO built in, and can use the Kerberos in Active Directory.
> > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
> platform
> > see the about:config and the network.negotiate-auth.trusted-uris option.
> >
>
> The main (and probably only) drawback of this method is that is all
> about HTTP basic authentication, and most of applications only allow
> some kind of cookie based auth.
>
> You might want to look at PAPI (http://papi.rediris.es), it only
> provides Web SSO, but I think is enough for you. Allows multiple
> authentication backends, and although it is not packaged as default it
> is possible to use Kerberos (actually, I tested it successfully
> against a W3K domain controller).
> On the authentication server side, as far as I remember it forces you
> to use apache (but apache for Windows is OK).
> And regarding the application side, the IIS might be a problem, except
> if the code is PHP. But you can integrate it with Java (a tomcat
> filter at least).
>
> Hope this helps.
>
> Javier Palacios
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
