What is Kerberos
One of the protocols that SSO uses for authentication is Kerberos. Kerberos is an authentication protocol that uses secret key cryptography for secure communication over untrusted networks. Kerberos is a protocol used in a client-server architecture, where the client and server verify each other’s identities. The messages sent between the client and server are encrypted, thus preventing attackers from snooping.
For more information about Kerberos, refer to https://web.mit.edu/kerberos/
Key Entities in Kerberos
There are few key entities that are involved in a Kerberos communication.
- Key Distribution Center (KDC): Third-party system or service that distributes tickets.
- Authentication Server (AS): Server that validates the user logging into a system.
- Ticket Granting Server (TGS): Server that grants clients a ticket to access the services.
- Encrypted Keys: Symmetric keys that are shared between the entities such as, authentication server, TGS, and the main server.
- Simple and Protected GSS-API Negotiation (SPNEGO): The Kerberos SPNEGO mechanism is used in a client-server architecture for negotiating an authentication protocol in an HTTP communication. This mechanism is utilized when the client and the server want to authenticate each other, but are not sure about the authentication protocols that are supported by each of them.
- Service Principal Name (SPN): SPN represents a service on a network. Every service must be defined in the Kerberos database.
- Keytab File: It is an entity that contains an Active Directory account and the keys for decrypting Kerberos tickets. Using the keytab file, you can authenticate remote systems without entering a password.
For implementing Kerberos SSO, ensure that the following prerequisites are considered:
- The appliances, such as, the ESA, or DSG are up and running.
- The AD is configured and running.
- The IP addresses of the appliances are resolved to a Fully Qualified Domain Name (FQDN).