LiveZilla Live Help

You are here

Kerberos SSO Authentication

Why Kerberos?

Kerberos Authentication support is particularly useful for Enterprise networks that have a Microsoft AD based Domain controller. By properly configuring the necessary Kerberos related factors, your enterprise Internet users can optionally enjoy Windows Integrated Authentication. Windows Integrated Authentication is a non-interactive authentication process, that uses SSO authentication. SSO ensures that your users do not have to manually provide their user credentials as username / password to access your networked enterprise resources and services, yet their access is restricted as specified. SSO, thus not only just adds convenience to the overall user experience, but also enhances security.

In a typical Microsoft AD based network, implementing SSO based access for the networked resources and services provided by Microsoft Windows based host systems, is very tightly integrated function of the AD service. However if the the networked resource is setup on a non-Microsoft platform, the AD integration can be a bit puzzling for not so experienced technicians. The task of integration isn't too complex in itself, and requires using the keytab files, properly created as Kerberos Keytabs. The procedure is documented here http://msdn.microsoft.com/en-us/library/ms995329.aspx
A technician with sufficient management rights on the Microsoft AD for Group Policy, DNS server, and the Domain Controller host, can use steps discussed in this article, to easily accomplish the desired goals.

MIT Kerberos-based services (noninteractive) use the keytab to log on and use Kerberos services.Services running on UNIX systems can be configured with service instance accounts in Active Directory. This allows full interoperability.

MIT Kerberos clients and servers on UNIX systems can authenticate by using the Windows Server 2003 / 2008 Kerberos server, and clients connected to servers running Windows Server 2003 / 2008 can authenticate to Kerberos services that support GSS API.


Article Goals

The most recent releases in the ntlm-RCxx distributions of SafeSquid for Linux support Kerberos based SSO Authentication. Being a member of the team that develops SafeSquid, and helps people to use it, I could share the frustrating experiences of various technicians, when they attempted to achieve the seamless integration. The puzzles and problems as in any other case of inter-process inter-platform integration are caused due to incoherent documentation or educative discussion for understanding the reasons of failure, troubleshooting and preparatory setup.

In this article we will therefore pay special attention to careful and systematic pre-setup, to ensure least bit of trouble-shooting confusions. We will replicate relevant information available on various Microsoft and other *Nix authoritative web-sites.

The discussion begins with the preparatory steps required to easily accomplish the procedure set out in the above reference. It also includes some references, in case you are more inclined to understand the functional significance of the steps listed here. Though this article ends with setting up of SafeSquid and HTTP/1.1 Proxy server on a Linux Host, almost all the penultimate steps would remain the same for any other Kerberos-aware server application. The only differences would be the logical differences required to correctly support the application protocol of the kerberos-aware server application.