I'v developed an internal singe-page web-app (unix, apache & postgresql) protected by a simple login page. Currently, the users have their own login role with a password.
This is starting to get cumbersome for a couple reasons:
-
Users have multiple passwords (for my web-app and Active Directory, the company-network is windows).
-
Storing user information in two different places (would like to centralize).
I've been looking into Kerberos to the point, I've set-up a KDC and am able connect to the database through GSSAPI authentication (command-line only).
From what I understand I should be able to use my own KDC that will integrate with Active Directory.
My problem I'm working through at the moment is web-app authentication via kerberos:
If a user is on the web – how can I obtain/verify kerberos credentials? Can I store the credentials in a cookie? Do I have
to resort using OAuth,Webauth, or something similar?
To clarify, What I want to do is:
If a user doesn't have valid credentials, give them the login page to obtain credentials (via kinit, but how through the browser?) and return valid credentials.
(how can I store credentials in browser, can I create a cookie from the Kerberos credentials?).
I've googled, and read a fair-few pdf's and web-resources, but unfortunately none of them were able to dumb it down enough for me to get a solid grasp of how to accomplish kerberos web authentication.
If you didn't notice, I'm confused on how to piece everything together and would appreciate a conceptual over-view of how everything fits together.
Best Answer
The usual way you would go about this, is just whenever processing authentication requests in your web application, you would authenticate against Kerberos to check for valid login/password.
I do not think you will find another way to check for current user's authentication details in e.g. Windows session, as that wouldn't be secure by design. If you would store the user/password combination, you would have to store it in accessible form, and that would also make it open for hijacking.