[30120] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 18 01:58:46 2008
To: kerberos@mit.edu
In-Reply-To: <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com>
(Michael B. Allen's message of "Thu\,
17 Jul 2008 22\:16\:43 -0400")
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 17 Jul 2008 22:57:53 -0700
Message-ID: <87vdz3spi6.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Michael B Allen" <ioplex@gmail.com> writes:
> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.
You're making a bogus comparison. If you don't have to type in passwords
with SPNEGO Negotiate-Auth, you don't have to type in passwords with
WebAuth either; it can use SPNEGO Negotiate-Auth for initial
authentication. In the Negotiate-Auth case, the password handling is
exactly the same, which one would expect given that it's using exactly the
same protocol and mechanism. (Cosign I think requires the ticket cache on
the central login server, so does introduce the twist of delegation.)
The difference does not lie in SPNEGO handling; it lies in the
architectural complexity, in what the fallback looks like when
Negotiate-Auth doesn't work, and in the delegation and authentication
persistance model.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
