Here at work we just implemented an Apple Open Directory server. It stores everyone's usernames and passwords and implements LDAP and Kerberos. I've been tasked with configuring all of our ASP.Net web applications to authenticate with it--so users can use their Open Directory usernames and passwords to log into our ASP.Net applications.
I need something like mod_auth_kerb, except for IIS and ASP.Net--and I'd like to use forms-based authentication.
Is this possible?
IIS only supports kerberos for NTLM authentication as far as I know. I have never seen a secondary kerberos capable library or software. (true kerberos I mean) Now you could use the LDAP libraries in .Net to communicate between the servers in a kerberos fashion, but the connection between user client and asp.net server would still be an SSL plain/text connection.
I've also never seen it done, but it should be able to be done ... if the asp.net server had a trust relationship with the Apple Open Directory server with an LDAP connection made between the two, it might be possible to enable the NTLM authentication at the IIS level, and that would (in theory) extend the kerberos connectivity to the AOD through the trust. Again, I've never even contemplated it so I don't know what the pitfalls would be of attempting it.
I have successfully used DirectoryServices to connect to other Active Directories through the LDAP protocol, but I still have not found a way to embed the kerberos connectivity between client and authentication server without NTLM.
To use Kerberos authentication in IIS, your authentication type for the protected resource should be "Windows Authentication". This will make IIS use Negotiate (spnego) authentication. The server must be a member of a domain for Kerberos to work. I'd recommend using a Server 2008 or Server 2008 R2 machine for this if possible as it handles Kerberos authentication more gracefully.
I haven't gotten a chance to work with a Mac server for a while, but It's my understanding that Open Directory is capable of serving a Windows domain member. For authorization, you'll have to query the LDAP directory from ASP or use your own internal authorization mechanism.
Edit: This Microsoft KB article might be of some use to you: http://msdn.microsoft.com/en-us/library/aa480475.aspx