[30118] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Michael B Allen)
Thu Jul 17 22:18:00 2008
Message-ID: <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com>
Date: Thu, 17 Jul 2008 22:16:43 -0400
From: "Michael B Allen" <ioplex@gmail.com>
To: "Christopher D. Clausen" <cclausen@acm.org>
In-Reply-To: <C34D9B748044442ABB63C908410D37B0@CDCHOME>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jul 17, 2008 at 9:52 PM, Christopher D. Clausen
<cclausen@acm.org> wrote:
>> With Plexcel we can do SPNEGO, check group membership (we extract the
>> group SIDs from the PAC), app-level access to basic user info and a
>> get TGT without talking to a third party at all. The time between the
>> initial HTTP request and the 200 response is less than 20 ms (or ~50
>> ms if the user is in a few hundred groups).
>
> The whole point of the central server is to keep end-users from typing
> passwords in at all the other random webservers.
If you read the whole thread you'd know I'm only talking about the
*IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
whereas with WebAuth you might need to. If you have a lot of clients
that cannot do SPNEGO then, yes, WebAuth and Cosign are better
solutions.
> The point is that those hosting the server are not to be
> trusted with the end user passwords and the central server solves this
> problem.
That's not a problem if you're using AD since you have the "Account is
trusted for delegation" flag which is off by default. No one can setup
a service and lure people into giving up their TGTs. An admin has to
go into the account and flag it as trusted for delegation.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
