tags:

views:

554

answers:

3
+4  Q: 

Is using Kerberos to authenticate to web sites and web services a good idea?

Through acquisition we have a number of products that require authentication and authorisation. The products include web sites and client side applications, the client side applications use some web services. We are a .Net shop and servers will be running Server 2008, clients will be running XP SP?? and later.

Users of the products are not part of our organisation and run from single users with a standalone pc to users in organisations running Active Directory etc.

Currently there is no common authentication or identity store and we are looking to remedy that. Our goals are:

  • A single user name and password (or certificate) across all products.
  • Ideally a single sign on (easy if we are launching a web site from a client app, presumably less so if a user logs onto a web site first then later launches the client side app).
  • Plus the usual; robust, scalable...

Like most companies we have limited resources and a tight schedule.

One suggested path for authentication is Kerberos which is probably the ideal route for a client app to authenticate to a web service but I am less happy using it on a web site where the user would submit a user name and password and the web server would be responsible for ticketing (then storing the ticket in a cookie?). I feel that we may be better off with a single identity store and our own authentication service that takes a user name and password, compares to a sorted hash, then issues a custom, time based security token. Maybe use SqlMembershipProvider?

Thanks to anyone that has read this far. Is Kerberos the best fit for this scenario or should I be looking elsewhere? If it is not a good fit, why not?

We are also looking at AD LDS for authorisation but I think this post is long enough already...

+3  A: 

Have you considered OpenID?

Cuga  2009-05-09 13:38:44
If you want to go to the extreme, you could implement 2-way SSL and issue private certs to all your users. You could eliminate the need for users to have name/pwd authentication alltogether (their browser would simply serve up their credentials to the server) and this is the most secure method possible.
Cuga  2009-05-09 13:45:51
I like both OpenID and certs but I am guessing that if we went OpenID we would want our own OpenID server and I don't think we have the resource/time/budget to do so. The same applies to issuing our own certs.There is a certificate provider in our industry that issues certificates at no cost to the user and carries liability for initial authentication etc but, when we last looked, the cost for us to authenticate the users certs with them blew the business case for using them.
John Plummer  2009-05-09 16:03:42
Either way, the issue I have at the moment is that the first choice seems to be Kerberos which I am uncomfortable with on a web site. However I cannot marshal any arguments against using it other than we will not get the full benefit of Kerberos and it doesn't 'smell' right for web site authentication. Neither of which seem good arguments.It may be that Kerberos is the right solution and I am just feeling uncormfortable with it due to my lack of knowledge.
John Plummer  2009-05-09 16:08:12
I haven't personally done it, but it appears easy to set up an OpenID provider (see bottom: http://openid.net/get/). With Kerberos, you'd need to set up a trusted third party (authentication and ticketing servers), which seems like just as much a resource/time/budget requirement as with an OpenID authentication server.
Cuga  2009-05-09 16:29:36
+1  A: 

OpenID for your single user accounts, and OAuth to authorize apps to access data at another web site make a good, distributed solution. Yes, Active Directory or another pure single-sign-on solution works great in a homogeneous environment but it sounds pretty divergent in your org.

Setting up a secure OpenID Provider is actually a big responsibility and shouldn't be something you just whip up by slapping a library together with a web server. You could let your users use their own OpenIDs, and then have a database where your users register their OpenIDs so they are recognized as employees/members across the system. Various parts of the system can check an OpenID for membership either directly against the database, or you can use OAuth to help verify membership too.

Very interesting possibilities in ways you can combine these two technologies.

Andrew Arnott  2009-05-09 19:48:05
Thanks for the posts so far, some good ideas, but I still need to know, if Kerberos is not the right solution, why isn't it?
John Plummer  2009-05-10 12:53:15
If it will work for your situation then Kerberos probably IS the best option.
Andrew Arnott  2009-05-11 01:20:10
+1  A: 

There is nothing inherently wrong with it except that Kerberos isn't really designed for that kind of use case, and doesn't play nicely with firewalls, generally. For example you probably don't want to open up external access to the same Kerberos KDC you use internally.

Plus if you mean MS Kerberos, and you apparently do, then opening up Kerberos comes with a whole other rats nest of MS protocols that you have to open up sooner or later, because the higher level stuff is tangled up with AD etc along with Kerberos.

That said:

I feel that we may be better off with a [...] our own authentication service

Almost certainly not. You generally don't want to reinvent the wheel, and if you must then not that wheel. Authentication protocols are generally hard to do and even harder for web access. Stick to something that exists already - basic authentication + SSL or client certificates and SSL, plus session tracking (again over SSL if this stuff really matters), or an LDAP service that is distinct from your AD. Those approaches all have their own problems but not as many as you'll have with rolling something of your own.

frankodwyer  2009-06-23 15:36:29

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?