Differences in Active Directory with and without Kerberos?

Question

I have a web application (ASP.NET/C#) that our clients' employees use, and one of the authentication methods we support is an external Active Directory via LDAP.

I recently had a request to support Kerberos with AD.

What does this entail from a development perspective? I know the basics of Kerberos in the Unix world, but not sure how it fits in with AD/LDAP

Currently, I use standard LDAP to bind with a service account to find the user, then bind as that user with their provided credentials to verify the login.

What is needed differently to support Kerberos? My Google-fu is failing me.

To make it clear, the application server is not in the same domain as the AD server.

EDIT:

Is it even possible to do Kerberos authentication over an internet connection?

Answer 1

Greg here is what you would need to look at.. if you need help with any code samples let me know.. I currently work in Active Directory Group and have 8+ yrs experience coding in C# for AD and LDAP

you should still be able to validate user credentials if they sit on 2 different domains you want to look at the following PrincipalContext, 'UserPrincipal', 'GroupPrincipal if necessary', and ValidateCredentials which is probably the one you want the most

Answer 2

Kerberos has been standard in Windows for more than 13 years (since Windows 2000). All you need t do is enable Windows Auth with SPNEGO/Kerberos in your IIS. If you have a fat client, you can use SSPI to obtain a security context and read the currently logged in Kerberos UPN from. I have answered that kind of question already several times on SO. Please search.