[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion
> Do you mean the "kerberos user" quite blatantly gives his kerberos name > AND PASSWORD to the web server? And then the web server gets the TGT from > the KDC AS service in the name of the kerberos user? Sure, that's how the vast majority of web SSO systems work if the authentication source is Kerberos. Obviously Kerberos is fairly incidental in that environment; a password database is just as good (or bad). Ideally that traffic is confined to a single trusted server that doesn't host applications, just the weblogin process. In practice, people do basic-auth over SSL to Kerberos all over, all the time. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]