[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifierand Kerberos authentica tion
My first reaction is, "You've got to be kidding me!", then sadly, or more frightenly, you wouldn't be. I'll agree with you. I wouldn't call that Kerberos. My god. Sometimes, I just wonder what other abominations ..... Gezzzz, -Polar On Mon, 12 Apr 2004, Scott Cantor wrote: > > Do you mean the "kerberos user" quite blatantly gives his kerberos name > > AND PASSWORD to the web server? And then the web server gets the TGT from > > the KDC AS service in the name of the kerberos user? > > Sure, that's how the vast majority of web SSO systems work if the > authentication source is Kerberos. Obviously Kerberos is fairly incidental > in that environment; a password database is just as good (or bad). > > Ideally that traffic is confined to a single trusted server that doesn't > host applications, just the weblogin process. In practice, people do > basic-auth over SSL to Kerberos all over, all the time. > > -- Scott >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]