{scrollbar} Work in progress

This site is in the process of being reviewed and updated.

5.4. Kerberos Protocol Provider

trueh4

Introduction

The Kerberos provider for Apache Directory implements RFC 1510, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.

The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide:

  • Authentication service (RFC 1510)
  • Ticket-granting service (RFC 1510)
  • Pre-authentication support (RFC 1510)
  • DES encryption systems (RFC 1510)
  • Triple-DES (DES3) encryption systems
  • UDP and TCP Support (MINA)
  • Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi

More Information

For help with Kerberos client configurations, check out our Interoperability Guide.

Resources

Kerberos Articles

  • Centralized Authentication with Kerberos 5, Part ICentralized Authentication with Kerberos 5, Part Ihttp://www.linuxjournal.com/article/7336

  • Centralized Authorization Using a Directory Service, Part IICentralized Authorization Using a Directory Service, Part IIhttp://www.linuxjournal.com/article/7334

Microsoft Interoperability

  • HTTP-Based Cross-Platform Authentication via the Negotiate ProtocolHTTP-Based Cross-Platform Authentication via the Negotiate Protocol/library/en-us/dnsecure/html/http-sso-2.asp

  • RFC 2478 - The Simple and Protected GSS-API Negotiation MechanismRFC 2478 - The Simple and Protected GSS-API Negotiation Mechanismhttp://www.faqs.org/rfcs/rfc2478.html

Standards

  • Encryption and Checksum Specifications for Kerberos 5Encryption and Checksum Specifications for Kerberos 5http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-07.txt

  • Key Derivation for Kerberos V5Key Derivation for Kerberos V5http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-cat-kerb-key-derivation-00.txt

  • Key Derivation for Authentication, Integrity, and PrivacyKey Derivation for Authentication, Integrity, and Privacyhttp://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-horowitz-key-derivation-00.txt

  • RFC 1510 - The Kerberos Network Authentication Service (V5)RFC 1510 - The Kerberos Network Authentication Service (V5)http://www.faqs.org/rfcs/rfc1510.html

  • RFC 1964 - The Kerberos Version 5 GSS-API MechanismRFC 1964 - The Kerberos Version 5 GSS-API Mechanismhttp://www.faqs.org/rfcs/rfc1964.html

  • Simplify enterprise Java authentication with single sign-onSimplify enterprise Java authentication with single sign-onhttp://www-106.ibm.com/developerworks/java/library/j-gss-sso/

  • Lock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formatsLock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formatshttp://www-106.ibm.com/developerworks/wireless/library/wi-kerberos/

  • Lock down J2ME applications with Kerberos, Part 2: Authoring a request for a Kerberos ticketLock down J2ME applications with Kerberos, Part 2: Authoring a request for a Kerberos tickethttp://www-106.ibm.com/developerworks/wireless/library/wi-kerberos2.html

  • Lock down J2ME applications with Kerberos, Part 3: Establish secure communication with an e-bankLock down J2ME applications with Kerberos, Part 3: Establish secure communication with an e-bankhttp://www-106.ibm.com/developerworks/wireless/library/wi-kerberos3/

  • No labels