Kerberos and tokens

Posted on 2014-08-07
Last Modified: 2014-11-12
I am reading about Kerberos, and it seems to be mostly an encryption protocol.

Does it actually pass tokens, so that it can used one set of credentials to access another system), as OAuth and SAML can ?

If WS02 is a good choice for a IdP in SAML, what would b a good choice for a  IdP in Kerberos ?


Question by:Anthony Lucia
    LVL 60

    Accepted Solution

    Simply see it as
    -Kerberos is a LAN (enterprise) technology while SAML is Internet.
    -Kerberos requires that the system that requests the ticket (asks for user identity, in a way ) is also in the Kerberos domain, SAML does not require systems to sign up before.
    -Kerberos does not reveal any identity information, because it does not know about anything beyond principal name.
    - Kerberos is an authentication/authorization scheme; SAML is a standardized way to do security markings

    However, Kerberos is showing its age and is not as detailed as SAML (see XACML / assertions) nor does Kerberos make any provision for 3rd parties.  If you have a web app you would use SAML. SAML is just a standard data format for exchanging auth data. You would typically use it for a web SSO (single sign on). Kerberos  isn't used over the public Internet doesn't have to do with the security of the protocol, or the exposure of the KDC, but rather that it's an authentication model that doesn't fit the needs of most "public Internet" applications.

    As for the choice of servers, can catch below

    If a web service uses standards, it handles claims-based authentication using SAML 2.0 or, increasingly, OAuth 2.0 and OpenID Connect. Microsoft's own Azure Active Directory doesn't use Kerberos; it supports SAML and OAuth 2.0 as its authentication protocols.

    In Windows Server 2012 R2, the most significant enhancements to the AD platform were made to Active Directory Federation Services (AD FS), not Active Directory Domain Services (AD DS). AD FS is an authentication head for AD DS that extends AD DS's reach to the world of web-based services that support SAML 2.0 and—in Windows Server 2012 R2's AD FS implementation—OAuth 2.0. (Think of AD FS as the teenager translating new technology to the AD DS adult that just doesn't understand it.)
    LVL 14

    Assisted Solution

    by:Brad Groux
    The Kerberos Explained TechNet article is an easily digestible overview -

    Kerberos authentication within Active Directory works in conjunction with SAML in Active Directory Federated Services.
    ADFS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) token type and Kerberos authentication (in the Federated Web SSO with Forest Trust scenario). ADFS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify ADFS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Claim mapping.

    In short, Kerberos is the primary authentication method for Microsoft's Active Directory.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
    This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now