views:

325

answers:

1

Is it possible to use Brokered Kerberos Authentication for web services over the Internet? I'm looking at web services security for an environment which already has Active Directory. Due to the existing architecture the web services will be quite chatty and I have no control over this architecture. It may take up to 6 web service calls to perform one business process .

There is concern over authenticating multiple times and the overhead this will incur. From my initial reading of brokered kerberos authentication, once the user credentials are provided then a Kerberos security token will be returned and authentication is not required for each web service call.

I'm envisaging a system where the user credentials are passed to Active Directory via a web service call and the Kerberos token is returned. This token is then used for all subsequent web service calls.

Is this possible or am I heading off on a tangent? If I am heading off on a tangent is there a preferred approach for this? I've finished reading the Microsoft Web Service Security: Scenarios, Patterns and Implementation Guidance for WSE 3.0 and still a little unclear.

+1  A: 

Consider leveraging the SAML protocol as a way to exchange assertions via WS-Security.

jm04469