Kerberos and Single Sign-On

Let's look at the standard Kerberos protocol, which has long been used in Windows and is the primary authentication protocol in recent versions. This protocol is very secure and by design supports single sign-on. And SSO is what we're interested in. Kerberos is widely used (not only on Windows), but we will base the description on the MS implementation in a domain environment.

The article deals with setting up the client to be able to use Single sign-on against the application on the server. We take Microsoft Windows as clients that are joined to a domain, all SSO authentication is against Active Directory and we consider only Kerberos protocol. Of course our server application must support SSO. Mainly we will be looking at web applications and therefore web browser configuration and bulk configuration using Group Policy.

In previous articles, we have described the Kerberos protocol and its use in Single sign-on. Also, using SSO from a Windows client perspective, primarily when authenticating to a web application. Today we'll look at the other side, the web server and the use of SSO in our web application. The basic description is general, but in the details we have to work from precise conditions. Again, we will take advantage of the fact that we have user management in an Active Directory domain, and thus authentication to AD using Kerberos. The clients will be on Windows as we described in the last article. On the server we will be using the Apache application server and a small mention of the code will be related to the PHP language.

The article describes a problem I recently encountered. It is a situation where we have a user who is a member of a large number of groups. I first ran into a problem with a web application that uses SSO and it stopped working. The solution is to modify the Apache or Tomcat configuration. Then I ran into a problem in Windows 7 where the user stopped authenticating correctly (while some features still worked).