[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
In my last email I described one reason why a password database check is not the same as using Kerberos, but (again) I don't think the various ways of authenticating with Kerberos and which is better needs to be discussed.
Tim.
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 13 April 2004 02:14
To: 'Polar Humenn'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> Do you mean the "kerberos user" quite blatantly gives his kerberos name
> AND PASSWORD to the web server? And then the web server gets the TGT from
> the KDC AS service in the name of the kerberos user?
Sure, that's how the vast majority of web SSO systems work if the
authentication source is Kerberos. Obviously Kerberos is fairly incidental
in that environment; a password database is just as good (or bad).
Ideally that traffic is confined to a single trusted server that doesn't
host applications, just the weblogin process. In practice, people do
basic-auth over SSL to Kerberos all over, all the time.
-- Scott
To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]