• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1876
  • Last Modified:

Kerberos and tokens

I am reading about Kerberos, and it seems to be mostly an encryption protocol.

Does it actually pass tokens, so that it can used one set of credentials to access another system), as OAuth and SAML can ?

If WS02 is a good choice for a IdP in SAML, what would b a good choice for a  IdP in Kerberos ?


Anthony Lucia
Anthony Lucia
2 Solutions
btanExec ConsultantCommented:
Simply see it as
-Kerberos is a LAN (enterprise) technology while SAML is Internet.
-Kerberos requires that the system that requests the ticket (asks for user identity, in a way ) is also in the Kerberos domain, SAML does not require systems to sign up before.
-Kerberos does not reveal any identity information, because it does not know about anything beyond principal name.
- Kerberos is an authentication/authorization scheme; SAML is a standardized way to do security markings

However, Kerberos is showing its age and is not as detailed as SAML (see XACML / assertions) nor does Kerberos make any provision for 3rd parties.  If you have a web app you would use SAML. SAML is just a standard data format for exchanging auth data. You would typically use it for a web SSO (single sign on). Kerberos  isn't used over the public Internet doesn't have to do with the security of the protocol, or the exposure of the KDC, but rather that it's an authentication model that doesn't fit the needs of most "public Internet" applications.

As for the choice of servers, can catch below

If a web service uses standards, it handles claims-based authentication using SAML 2.0 or, increasingly, OAuth 2.0 and OpenID Connect. Microsoft's own Azure Active Directory doesn't use Kerberos; it supports SAML and OAuth 2.0 as its authentication protocols.

In Windows Server 2012 R2, the most significant enhancements to the AD platform were made to Active Directory Federation Services (AD FS), not Active Directory Domain Services (AD DS). AD FS is an authentication head for AD DS that extends AD DS's reach to the world of web-based services that support SAML 2.0 and—in Windows Server 2012 R2's AD FS implementation—OAuth 2.0. (Think of AD FS as the teenager translating new technology to the AD DS adult that just doesn't understand it.)
Brad GrouxCommented:
The Kerberos Explained TechNet article is an easily digestible overview - http://technet.microsoft.com/en-us/library/bb742516.aspx

Kerberos authentication within Active Directory works in conjunction with SAML in Active Directory Federated Services.

ADFS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) token type and Kerberos authentication (in the Federated Web SSO with Forest Trust scenario). ADFS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify ADFS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Claim mapping.

In short, Kerberos is the primary authentication method for Microsoft's Active Directory.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now