Hello Sam,
If the client computers are part of the AD, then you are in Kerberos
environment by default. AD is mixture of Kerberos and LDAP.
mod_ntlm is not very secure.
SPNEGO provides a mechanism to authenticate clients to webservers in a
secure fashion. It works work just like a windows machine accessing a
Windows based file server. Accept in the case of SPNEGO the Windows file
server is replaced by a WebServer (Apache/IIS etc). Once the client
authenticates to a Active Directory domain controller and receives a Ticket
Granting Ticket (TGT) , it request services from a WebServer. When the AD
controller gives a Ticket[Client to Web Server] , the client can use that
Ticket to access the resources from the WebServer.
Thanks.
Saqib Ali
http://validate.sf.net
"Sam Gold"
<SamGold@xxxxxxxx
kberry.net> To
No Phone Info "Saqib.N.Ali@xxxxxxxxxxx"
Available <Saqib.N.Ali@xxxxxxxxxxx>
cc
03/17/05 05:57 PM Subject
Re: [users@httpd] SPNEGO module for
Apache
I have heard of mod_ntlm(2) but not the module you are talking about. I
would be very interested in hearing about what exactly you are doing. I
have to do the same type of thing. We are just using AD, I'm not sure if
we are using Kerbos or not. I do know that AD supports Kerbos. I'm sorry
I couldn't be of any help.
-----Original Message-----
From: "Saqib.N.Ali@xxxxxxxxxxx"<Saqib.N.Ali@xxxxxxxxxxx>
Date: Thu, 17 Mar 2005 23:27:00
To:"users@xxxxxxxxxxxxxxxx"<users@xxxxxxxxxxxxxxxx>
Subject: [users@httpd] SPNEGO module for Apache
I was wondering if anyone has encountered any security concern/issues while
implementing Vintela's SPNEGO <
http://www.vintela.com/resources/topics/spnego/>. SPNEGO provides a
single-sign-on in a KERBEROS enabled environment. Basically it allows web
applications to automatically authenticate clients who have valid Kerberos
credentials.
I am planning to install the mod_spnego module on a apache server, that
will enable the client to single-sign-on to our internal application, if
they are part of our AD.
One possible concern is the increase of CSRF type of attacks, but that is
the case with any single-sign-on solution.
There is also the mod_spnego available on sourceforge.net any experiences
with that?
Thanks.
Saqib Ali
http://validate.sf.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Sent wirelessly via BlackBerry from T-Mobile.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|