What are the benefits of running Kerberos with an authorization-backing server like LDAP/Active Directory/SPNEGO?

1
votes

I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.

What am I missing here...? Please advise! Many thanks in advance!

1
active-directoryldapkerberos

1 Answers

1
votes

Their is no overhead for another server. Active Directory combines all necessary services in one product.

Kerberos has tremendous benenfits:

  • One login for all systems
  • Transparent subsequent login
  • Ciphered ticket exchange, even full transport encryption is possible
  • Delegation of credential is supported out of the box
  • Implemented and well documented in Unix and Windows for almost two decades

I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.