Thursday, 23 September 2010 19:03
Kerberos is a network authentication protocol for client/server applications, and SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.
�
Kerberos
Kerberos is an a authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
�
Kerberos was developed by the Massachusetts Institute of Technology (MIT) as a solution to its network security problems. It was named after the Greek mythological character Kerberos (or Cerberus). Several versions of the protocol exist, and the latest one is version 5 - RFC 4120 released in 2005.
�
The idea is very simple. If you want a service, you need to have a ticket for that service. To obtain a ticket, you must contact the Ticket Granting Service (TGS) to obtain a service ticket. Once the ticket is obtained, you can use it to gain access to the intent service offered by a Service Server (SS).
Extracted from the TechNet of Microsoft site - Kerberos Explained.
�
Kerberos is normally deployed in a client/server environment. It is rarely used in web-applications and thin client environments.
�
SPNEGO
Because of this, SPNEGO comes to the rescue. It stands for Simple and Protected GSS-API Negotiation Mechanism, which provides a mechanism for extending a Kerberos based single sign-on environment to web-applications.
�
The following diagrams shows how a client application obtains a service from a web-application through the standard HTTP protocol. Basically,
- When an application (e.g. a browser) on the PC attempts to access a protected page on the web server, the server responds with an unauthorized response.
- The application then requests a service ticket from the KDC, e.g. an Active Directory.
- Once the required ticket is obtained, the application wraps it in a SPNEGO envelope and sends it over to the web server to request the same page again.
- The server can then unpacks the envelope to retrieve the server ticket, and use it to authenticate the user.
Extracted from Jens Bo Friis presentation of SPNEGO authentication using JGSS
�
Resources
If you are interested in how Kerberos works, the following document illustrates the operation in a couple of simple diagrams.
A number of standards are available today that are related to the Kerberos authentication. They are:
- RFC 4120 - The Kerberos Network Authentication Service (V5)
- RFC 2743 - The Generic Security Services Application Program Interface (GSS-API)
- RFC 4178 - The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- RFC 4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
Note: Microsoft supports the RFC 4559, which is a Microsoft version of SPNEGO with the ability to fall back to NTLM