Re: SSO

Hello,

Thanks for your responses.

You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
have SPNEGO built in, and can use the Kerberos in Active Directory.
Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
see the about:config and the network.negotiate-auth.trusted-uris option.

I would have definitely considered this, but the group that I am working
with does not want to include AD in any solution.

Also, (I'm not sure how familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.

Thanks again.




On 7/17/08, Javier Palacios <javiplx@xxxxxxxxx> wrote:

I wanted to use Kerberos to authenticate the user. After research, I
thought this would make sense. I saw some suggestions using CoSign or
WebAuth. I can't use WebAuth because it is only for Linux, and CoSign
is
written for Apache (but there are ISAPI filters i guess for IIS) and I
am
running off of Microsoft IIS.
[...]

You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
have SPNEGO built in, and can use the Kerberos in Active Directory.
Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
see the about:config and the network.negotiate-auth.trusted-uris option.


The main (and probably only) drawback of this method is that is all
about HTTP basic authentication, and most of applications only allow
some kind of cookie based auth.

You might want to look at PAPI (http://papi.rediris.es), it only
provides Web SSO, but I think is enough for you. Allows multiple
authentication backends, and although it is not packaged as default it
is possible to use Kerberos (actually, I tested it successfully
against a W3K domain controller).
On the authentication server side, as far as I remember it forces you
to use apache (but apache for Windows is OK).
And regarding the application side, the IIS might be a problem, except
if the code is PHP. But you can integrate it with Java (a tomcat
filter at least).

Hope this helps.

Javier Palacios

.

Relevant Pages

  • Problems getting Apache to use PAM
    ... account and session management are carried out by Solaris. ... Apache doesnt use PAM and so we cant implement Kerberos authentication on servers running Apache because nobody will be able to login with their AD password. ...
    (SunManagers)
  • RE: SSO on Linux
    ... Using authconfig, have setup the system authentication, ... W2K KDC for kerberos authentication mechanism. ... Getting Samba 3.0.2 up and running in integrated mode with AD/Kerberos has ... My interest at this point is - kerberising other services like Apache, VSFTPD, ...
    (Focus-Linux)
  • Apache on linux, Kerberos and group auth to active directory in a "trust"
    ... authentication of a "valid-user" through Apache and Kerberos to an AD ... I am NOT a windows person and my real understanding of AD and Kerberos ... I can not do group authentication of local or corporate AD users. ...
    (comp.infosystems.www.servers.unix)
  • Re: Problem autheticating Apache - LDAP - Active Directory using a AD group
    ... authentication instead of LDAP. ... The module for apache works perfectly, ... by mean of kerberos credentials as you could do against an IIS server. ...
    (RedHat)
  • Re: SSO
    ... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... When trying to determine the right SSO solution for your web ...
    (comp.protocols.kerberos)