Kerberos and SPNEGO
来源:互联网 发布:数据分析统计表 编辑:程序博客网 时间:2024/06/05 13:26
Thursday, 23 September 2010 19:03
Kerberos is a network authentication protocol for client/server applications, and SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.
�
Kerberos
Kerberos is an a authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
�
Kerberos was developed by the Massachusetts Institute of Technology (MIT) as a solution to its network security problems. It was named after the Greek mythological character Kerberos (or Cerberus). Several versions of the protocol exist, and the latest one is version 5 - RFC 4120 released in 2005.
�
The idea is very simple. If you want a service, you need to have a ticket for that service. To obtain a ticket, you must contact the Ticket Granting Service (TGS) to obtain a service ticket. Once the ticket is obtained, you can use it to gain access to the intent service offered by a Service Server (SS).
Extracted from the TechNet of Microsoft site - Kerberos Explained.
�
Kerberos is normally deployed in a client/server environment. It is rarely used in web-applications and thin client environments.
�
SPNEGO
Because of this, SPNEGO comes to the rescue. It stands for Simple and Protected GSS-API Negotiation Mechanism, which provides a mechanism for extending a Kerberos based single sign-on environment to web-applications.
�
The following diagrams shows how a client application obtains a service from a web-application through the standard HTTP protocol. Basically,
- When an application (e.g. a browser) on the PC attempts to access a protected page on the web server, the server responds with an unauthorized response.
- The application then requests a service ticket from the KDC, e.g. an Active Directory.
- Once the required ticket is obtained, the application wraps it in a SPNEGO envelope and sends it over to the web server to request the same page again.
- The server can then unpacks the envelope to retrieve the server ticket, and use it to authenticate the user.
Extracted from Jens Bo Friis presentation of SPNEGO authentication using JGSS
�
Resources
If you are interested in how Kerberos works, the following document illustrates the operation in a couple of simple diagrams.
- Sharing a Secret: How Kerberos Works
A number of standards are available today that are related to the Kerberos authentication. They are:
- RFC 4120 - The Kerberos Network Authentication Service (V5)
- RFC 2743 - The Generic Security Services Application Program Interface (GSS-API)
- RFC 4178 - The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- RFC 4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
Note: Microsoft supports the RFC 4559, which is a Microsoft version of SPNEGO with the ability to fall back to NTLM
- SPNEGO, NTLM and Kerberos
- Kerberos and SPNEGO
- Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
- Kerberos
- Kerberos
- Kerberos
- Kerberos
- Kerberos
- kerberos
- Kerberos
- kerberos
- Kerberos
- Kerberos
- Kerberos
- Kerberos
- spnego 配置心得
- 认证模式之Spnego模式
- Chapter 1 Securing Your Server and Network(9):使用Kerberos用于身份验证
- python 正则表达式
- java中XML文档解析3 (sax和stax的使用)
- NetWork Science网络科学学习笔记(二)有权图、二分图、广度优先搜索
- c# 结构中的变量作用域
- Unknown type name 'class'; did you mean 'Class'? 解决方案
- Kerberos and SPNEGO
- 怎样压缩pdf 减少pdf文件的大小
- HDU1227 Fast Food(DP)
- 7.You have issued a SHUTDOWN ABORT command to bring down your database instance. Considerthe steps t
- ehcacge.xml
- git使用本地
- JAVA学习笔记 NO.1 环境配置
- 如何使用MediaPlayer播发res/raw下的音频文件
- C++ 海康 YV12转RGB32,YV420转RGB32