Kerberos Authentication for the Web
Shumon Huque, Jorj Bauer
University of Pennsylvania
January 2009
Introduction
It has been possible to use the Kerberos authentication protocol in 
Web (HTTP) applications for several years. Although various attempts 
to standardize Kerberos authentication in HTTP have been made, the 
method that has gained the most support in practical terms is one 
developed by Microsoft, and documented in RFC 4559 "SPNEGO-based 
Kerberos and NTLM HTTP Authentication in MS Windows". Besides Microsoft 
software (IIS and Internet Explorer), it has been widely implemented in 
other software, eg. Mozilla Firefox, Apple's Safari, Opera, Apache, etc.
RFC 4559 (referred to as "HTTP/SPNEGO" in the remainder of this document)
has a number of technical and security problems. It offers authentication
only and does not offer channel protection (protection of the data stream). 
It does not support more complex (although less common) multi-round-trip 
GSS-API mechanisms. Also in certain implementations it is difficult to 
support mutual authentication correctly. It is furthermore, an 
"Informational" RFC, and thus not an Internet standard, or standards-track 
document. There are efforts underway in the IETF and elsewhere to address 
these deficiencies, and standardize the protocol. But in the interim, it 
is possible to mitigate many of the problems by using it over SSL/TLS 
(ie. HTTPS). This document strongly recommends deploying HTTP/SPNEGO 
only on a webserver protected by SSL/TLS.
 
It is possible to use Kerberos in other ways to authenticate users
of web applications. For example, Kerberos is often used as a back-end
password verification service by the webserver, while the communication 
between the browser and server involves the transmission of a username 
and password over the network (in cleartext or over SSL). This method 
cannot correctly be described as Kerberos authentication, and is not 
recommended for use by the Penn community, since it exposes user 
passwords to an application server. To support applications using 
password based authentication like this, Penn's central web authentication 
system (WebLogin) should be used. 
Some Deployment Tips
  - Create a Kerberos service principal
  
- 
  
 Setting up a server for HTTP/SPNEGO requires the creation of a
  Kerberos service principal on the Kerberos server (KDC) and making
  available the secret key for this service principal to the webserver.
  The default form of the principal is "HTTP/f.q.d.n", where f.q.d.n
  is the fully qualified domain name of the web server. The service 
  principal name and key are usually stored in a file called a keytab. 
  This file should be strongly protected from disclosure. If stolen or 
  compromised, then it could be used by an attacker to impersonate the 
  service.
   
- Configure SSL/TLS on the webserver
  
- 
  
 No description is provided for this step, since it's generally
  well known how to do this.
   
- Ensure the Kerberos GSS-API mechanism is being used
  
- 
  
 GSSAPI (RFC 2743) is a generic AuthN mechanism. It may perform
  authN through methods other than Kerberos. In particular, it
  should be noted that Internet Explorer (versions 6 and 7, at the time
  of writing this document) makes the assumption that it's talking to an
  IIS web server, capable of performing NTLM-hashed password
  validation. If, for example, an Apache server employes mod_kerberos
  (either as required or as available), an IE client that does not have
  the appropriate Kerberos ticket will pop up a dialog for the user to
  enter their Windows NTLM password to the Apache server. This obviously
  serves no good purpose to the Apache server, and potentially lessens
  the security of the user's hashed password.
   
- Example Webserver configuration (Apache)
  
- 
  
 The modauthkerb module and instructions for configuring it for
  the Apache webserver can be found at
  
  http://modauthkerb.sourceforge.net/ An example .htaccess file that 
  uses HTTP/SPNEGO authentication, and only allows it over SSL follows:
		SSLRequireSSL
		AuthType Kerberos
		AuthName "Kerberos Login"
		KrbAuthRealms UPENN.EDU
		KrbMethodNegotiate on
		KrbMethodK5Passwd off
		KrbServiceName "HTTP/www.upenn.edu"
		Krb5Keytab "/usr/local/apache/conf/http.keytab"
		require valid-user
 SSLRequireSSL makes SSL mandatory. "AuthType" specifies Kerberos.
  KrbAuthRealms specifies the Kerberos realm. "KrbMethodNegotiate on"
  specifies the HTTP/SPNEGO method. "KrbMethodK5Passwd off" specifies
  that Kerberos password verification should NOT be used. KrbServiceName 
  and Krb5Keytab specify the Kerberos service principal name and the 
  location of it's keytab file. "require valid-user" specifies that any 
  Kerberos authenticated user is allowed access to the protected content.
   
- Example Webserver configuration (Microsoft IIS)
  
- 
  
 Pointer to some Microsoft technical documentation?
   
- WebLogin: HTTP/SPNEGO with fallback to CoSign?
  
- 
  
 Say something about supporting an environment with a population of
  browsers that are not all Kerberos capable? Deploy 2 standalone
  authentication mechanisms (CoSign and HTTP/SPNEGO)? Or use CoSign's
  ability to fallback gracefully from SPNEGO (does it actually work?)
  
 
Summary
Penn's central authentication system is based on Kerberos. Supporting
the Kerberos authentication protocol directly in web applications is
one of it's a long term strategic goals. Use of HTTP/SPNEGO, despite
it's current technical issues, and lack of universal support, is a step
in that direction. Kerberos in web applications provides better 
integration with Penn's authentication infrastructure, and the 
convenience of secure, Single Sign-On capability. It also provides an
advanced level of protection against the phishing of authentication
credentials -- an increasingly wide scale problem on the Internet made
possible by the ubiquitous paradigm of sending passwords directly
over the network to application servers. Penn hopes that upcoming
work on fully standardizing Kerberos authentication for the web
proceeds quickly. New developments to better integrate Kerberos with 
federated identity systems are also expected to play a role here.
References