Skip to end of metadata
Go to start of metadata

Kerberos is a very reliable authentication mechanism. Unfortunately, its use is not widely supported in Browsers or Web Servers. Conceptually, Kerberos could be used as an alternative to Certificates in establishing SSL/TLS sessions (RFC 2712). IE and IIS have some support here, but we are unaware of any wider us or Java support.

Kerberos may be a practical technology for Web Services validation. This would extend to CAS when it begins to support Web Service requests for tickets as well as Browser requests.

Currently this is a "strawman" proposal positioned to ensure that Kerberos ticket authentication is supported by the architecture if it become practical at some time in the future.

  • No labels


  1. kerberos is suported in

    • IE (5+, check in advanced option, "Activate Windows authentification (need restart)"),
    • Mozilla ( full:1.7, firefox 1.0, need to add the uri to "network.nogotiate-auth,trusted-uris")
    • konqueror since kde 3.4
    • IIS support kerberos already
    • apache can do the same sith the mod_auth_krb5 module

    So most browser/server support kerberos (smile)

  2. Check out Spnego. Originally created by MS for web based SSO with the release of Active Directory. It has been embraced by most modern web browsers now. Safari, Konqueror, Mozilla, Firefox, and IE all support the extension to HTTP.



  3. Out of some conversations with Scott I've been doing some research to figure out what it will take to get a SPNEGO authenticator (correct terminology?) for CAS going. Here's what I've found:

    There are two apache modules which seem to support SPNEGO:

    In looking for support for Tomcat (and java in general), things aren't looking as promising.

    First, the Sun Java Kerberos Library includes GSSAPI support (referred to as JGGS) in Java 1.4 and later ( But as referred to in section 2.5 of that page, support for underlying technologies such as SPNEGO are not implemented.

    Two commercial libraries have implemented SPNEGO support:

    And there are several references to people attempting use apache and mod_jk to get SPNEGO into Tomcat or obscure references to DIY attempts ( in the comments).

    So the first step is really finding/writing a SPNEGO for Java.

  4. Other useful links I've found:

  5. I'm writing some code that will hopefully allow us to retrieve the token from the http header. I haven't tested it yet though (wink)