Firewall Wizards mailing list archives
RE: LDAP and Kerberos?
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 20 Sep 2004 11:08:34 -0400
-----Original Message----- On Mon, 20 Sep 2004, Melson, Paul wrote:I'm not sure you've given enough information about your back end architecture to say for sure,I'm not sure what else to say about the architecture. I'll be happy to answer any questions though.
Specifically, what else besides the web application will you be authenticating? How many users? If the primary goal of this directory is to provide authentication for this web app. plus maybe admin services, then Kerberos is a waste of time since it's not compatible with the web app.
How does Kerberos do it mutually? And even if it does do it mutually if the server is compromised what does that authentication really do for you? Or is for some other reason?
It's my understanding that in mutual authentication scenarios the Kerberos client first authenticates to the server, then receives the service ticket, then finally challenges the server's identity to verify the first transaction. Kerberos can use RC4 or 3DES encryption (possibly others?), and authentication is based on a time stamp and key set. This is similar to how most IPSec-VPN IKE implementations work. The advantage of mutual authentication is that it prevents playback spoofing and man-in-the-middle attacks. It's designed to make it difficult for a third system to get access to services by eavesdropping or otherwise intercepting or interfering with the authentication process. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LDAP and Kerberos? Christopher Hicks (Sep 17)
- <Possible follow-ups>
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- Re: LDAP and Kerberos? ArkanoiD (Sep 22)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- Re: LDAP and Kerberos? Mason Schmitt (Sep 27)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)