Before I blindly jump on "trial an error" tests, I'd like to ask some general questions on Kerberos Authentication for Webservers. I want to evaluate what's possible with Kerberos. The main benefit would, of course, be Single-Sign-On. But it might also be an appropriate alternative to LDAP Authentication etc. (and luckily our Active Directory already includes a Kerberos KDC). Help, hints and discussion are most welcome!
I'd like to discuss a rather complex setup to find the limitations:
MS Browser -> Linux Squid Proxy -> (Linux httpd Reverse-Proxy) -> Linux httpd Webserver
1) As far as I understood, both Webserver and Browser need a permanent connection to the KDC to obtain and verify Authentication Tickets, right?
2) Our KDC is accessible only on our internal network. Does that mean that no clients from outside our network would ever be able to authenticate on our websites?
If so, would it then be possible to place a reverse-proxy in our network (with access to our KDC) to obtain Kerberos Tickets in behalf of the browser? Could the webserver himself obtain a Ticket in behalf of the browser? And would that be an appropriate workaround?
Should I rather use a fallback ldap authentication to handle external clients (the LDAP Server only needs to be available to the Webserver and not the Browser)?
3) How does kerberos work when proxies (normal forward-proxies such as squid) are used? Does the Proxy obtain Tickets in behalf of the Browser? Is there some sort of passthrough mechanism I could use? Do I actually need to change anything on my proxy to prevent it breaking kerberos auth?
I found a lot of HOWTOs on the Internet, but non of them stated clearly whether they allow general access to the proxy or access to a website behind the proxy.
I'll probalby pop into some more questions, but I think it might be a good starting point to gain some insight into Ticket based Authentication.
Thanx in advance!
Best Answer
To answer your questions,
Yes, webserver and Browser/client need to connect to the KDC to verify the tickets. You must do a kinit/domain login to get TGT and further the webbrowser will get a HTTP service ticket to access the webserver.
Exposing kerberos/domaincontroller on internet is not a good practice. Try using webauth.
Firefox already supports gss-api negotiate methods. All you have to do is do a kinit and configure the negotiate-auth in about:config http://grolmsnet.de/kerbtut/firefox.html and access your web page. If you are using apache check mod_auth_kerb. Lighttpd also has some kerberos support.