Reputation: 32639
What are the benefits of running Kerberos with an authorization-backing server like LDAP/Active Directory/SPNEGO?
I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Upvotes: 1
Views: 208
Answers (1)
Reputation: 18415
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
- One login for all systems
- Transparent subsequent login
- Ciphered ticket exchange, even full transport encryption is possible
- Delegation of credential is supported out of the box
- Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.
Upvotes: 1
Related Questions
- What's the difference between NTLMv2 and Kerberos?
- What is the point of the Kerberos Service Ticket (ST) in CAS?
- Why would I Kerberise my hadoop (HDP) cluster if it already uses AD/LDAP?
- What is the benefit of implementing Active Directory based Security to servers like Jenkins
- Why is kerberos commonly used with Openam?
- Differences in Active Directory with and without Kerberos?
- Why does the Server need access to Kerberos?
- Is using Kerberos to authenticate to web sites and web services a good idea?
- Understanding the idiom "kerberos login" and "kerberos password"
- What are the perceived/actual advantages of Kerberos? Are there any viable alternatives to the technology?