Kerberos facilitates user authentication over an untrusted
network of disparate systems. Content Platform Engine running on Windows
or UNIX / Linux® servers can use Kerberos for single sign-on (SSO)
authentication. This is also known as integrated login since Content Platform Engine takes advantage of
an earlier Windows login to securely establish a user's identity without
asking the user for a password again.
There are several terms used in the rest of this section related
to Kerberos:
- Authenticate
- To establish identity. In Kerberos, this is usually done initially
by presenting some credential, such as a password, when the client
logs onto the system. After this initial authentication, Kerberos
will allow the use of tickets and encrypted timestamp information
to reliably establish the identity.
- Client
- An application that wishes to authenticate itself to a Service
like Content Platform Engine. In regards
to using Kerberos with Content Platform Engine,
a client might be applications using the Content Platform Engine .NET API, the Content Platform Engine COM API or Content Platform Engine Web Services API.
- Service
- A server-based application running on a particular system (or
one among many in a cluster) that can use Kerberos authentication
to verify the identity of its clients. The Content Platform Engine is such a service.
- Key Distribution Center (KDC)
- A central server known to both a Kerberos client and service that
supplies Kerberos authentication services. The KDC knows passwords
for both the client and the service and acts as an intermediary between
the two. It is responsible for issuing Kerberos tickets. In the case
of using Kerberos with Content Platform Engine,
the KDC is a Windows domain controller using Active Directory.
- Service Principal Name (SPN)
- A name that identifies a particular Kerberos service that is registered
by the KDC. The client will use a SPN to identify which Kerberos service
it would like to authenticate itself to. In regards to the Content Platform Engine, this identifier is
usually something like FNCEWS/servername where servername is
the name of the Content Platform Engine server
system or a cluster.
- Realm
- The users, systems, SPNs, and so on, whose security is controlled
by a KDC. For the Content Platform Engine,
this is equivalent to a Windows Active Directory domain.
- Ticket Granting Ticket (TGT)
- A small piece of encrypted data issued by the KDC that is given
to either a client or service after it has successfully authenticated
itself to the KDC (for example, by initially logging onto a client
system or providing a service with a cached password). A TGT may then
be used to identity itself when a client or service wishes to use
some Kerberos function.
- Service Ticket
- A small piece of encrypted data issued by the KDC that can be
used by a client to identify itself to a particular service, like
the Content Platform Engine. This
ticket may be used many times by the client whenever it wishes to
make requests to that service, although it usually has a limited lifetime
of 8 or so hours.
- Replay attack
- An attempt by some “bad guy” to reuse parts of previous messages
that have passed over an untrusted network to falsely identify himself
as some other user. Kerberos protects itself from such attacks by
encrypting timestamp and other information with its tickets and raising
an authentication error if a particular ticket appears again with
the same timestamp.
- Keytab
- A key table. This is a secure table of user names and passwords
that may be used by services to identity themselves to the KDC.
Here is a quick sketch of how a client uses Kerberos to authenticate
itself to a service like Content Platform Engine:
- The client asks the KDC for a ticket to a service with a Service
Principal Name (SPN) using its key to encrypt parts of this request.
- Receiving the client's request, the KDC first verifies that the
request actually came from the client and then creates the service
ticket, which it passes back to the client.
- The client then adds this ticket, as well as some encrypted timestamp
information, to any messages it sends to the server. The client can
reuse this service ticket until it expires, typically in 8 or 10 hours.
- When the service (for example, Content Platform Engine) receives a message
with a ticket, it can decrypt parts of it with its own SPN key to
verify the client's identity. It also typically verifies the timestamp
and other information to guard against replay attacks.
Kerberos authentication goes far beyond this simple explanation
and is too large a subject to cover in this section. More information
can be found online or in many of the books written on Kerberos. See
also the Kerberos Credentials section of Web-Services-Based
Client Authentication Via Ws-Security .