Differences between CAS and Kerberos

2
votes

I know Central Authentication Service (CAS) and Kerberos both could be utilized to authenticated for establishing the session.The two protocols involves at least three parties,and will create a Ticket Granting Ticket duration authentication,so which differences are there between CAS and Kerberos?

Anyone could help? Thank you!

[UPDATE]

@Fred said (please see reply below)

it(CAS) is a way to proxy authentication services like Kerberos or LDAP on the Web.

However,JASIG states "CAS then generates a ticket and a transient cookie transmitted over SSL to be stored in Browser memory" (https://wiki.jasig.org/display/CAS/Extended+Authentication+Walkthroughs), so I guess CAS isn't just like a proxy because it itself can generate a ticket. Am I right?

Please shed a light on me, thanks!

2
kerberoscas

2 Answers

6
votes

CAS is not an authentication service in and of itself, but it is a way to proxy authentication services like Kerberos or LDAP on the Web.

At the time CAS was invented there was little support for kerberos in either the browser or the server. So CAS ( and Stanford WebAuth, and the one Duke wrote and ... ) all came up with various ways to emulate the kind of authentication service Kerberos provides using what was available in the browser. (i.e. stuffing things that look a lot like kerberos service tickets into browser cookies... )

Even now, kerberos support is not uniformly available in all browsers and all servers. Configuring your browser to do kerberos authentication via SPNEGO can vary from completely automatic to next to impossible. If you have a web based application, your best bet is to use something like CAS to do cookie-based authentication. A proxy service like CAS will work with any browser that supports cookies.

1
votes

Kerberos does not support session key and only use algorithm verification。