Kerberos and tokens

I am reading about Kerberos, and it seems to be mostly an encryption protocol.

Does it actually pass tokens, so that it can used one set of credentials to access another system), as OAuth and SAML can ?

If WS02 is a good choice for a IdP in SAML, what would b a good choice for a  IdP in Kerberos ?


Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Simply see it as
-Kerberos is a LAN (enterprise) technology while SAML is Internet.
-Kerberos requires that the system that requests the ticket (asks for user identity, in a way ) is also in the Kerberos domain, SAML does not require systems to sign up before.
-Kerberos does not reveal any identity information, because it does not know about anything beyond principal name.
- Kerberos is an authentication/authorization scheme; SAML is a standardized way to do security markings

However, Kerberos is showing its age and is not as detailed as SAML (see XACML / assertions) nor does Kerberos make any provision for 3rd parties.  If you have a web app you would use SAML. SAML is just a standard data format for exchanging auth data. You would typically use it for a web SSO (single sign on). Kerberos  isn't used over the public Internet doesn't have to do with the security of the protocol, or the exposure of the KDC, but rather that it's an authentication model that doesn't fit the needs of most "public Internet" applications.

As for the choice of servers, can catch below

If a web service uses standards, it handles claims-based authentication using SAML 2.0 or, increasingly, OAuth 2.0 and OpenID Connect. Microsoft's own Azure Active Directory doesn't use Kerberos; it supports SAML and OAuth 2.0 as its authentication protocols.

In Windows Server 2012 R2, the most significant enhancements to the AD platform were made to Active Directory Federation Services (AD FS), not Active Directory Domain Services (AD DS). AD FS is an authentication head for AD DS that extends AD DS's reach to the world of web-based services that support SAML 2.0 and—in Windows Server 2012 R2's AD FS implementation—OAuth 2.0. (Think of AD FS as the teenager translating new technology to the AD DS adult that just doesn't understand it.)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brad GrouxSenior Manager (Wintel Engineering)Commented:
The Kerberos Explained TechNet article is an easily digestible overview -

Kerberos authentication within Active Directory works in conjunction with SAML in Active Directory Federated Services.
ADFS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) token type and Kerberos authentication (in the Federated Web SSO with Forest Trust scenario). ADFS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify ADFS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Claim mapping.

In short, Kerberos is the primary authentication method for Microsoft's Active Directory.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.