The principal advantages in adopting Kerberos as an authentication service are: Passwords are never sent across the network because only keys are sent in an encrypted form; Authentication is mutual, so client and server authenticate at the same steps and they are both sure they are communicating with the right counterpart; Authentications are reusable and do not expire; Kerberos is entirely based on open Internet standards and; Kerberos is adopted by a huge number of industries, so any new weaknesses in its security protocol or in underlying modules are quickly corrected.
The weaknesses of Kerberos are: If a non-authorized user has access to the Key Distribution Center, the whole authentication system is compromised. Kerberos can only be adopted by Kerberos aware applications. It could be a problem to rewrite the code for some applications in order to make them Kerberos aware. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box. Click the OK button and then, restart the browser so that the settings take effect.
For Firefox: Open Firefox and enter about:config in the address bar. Dismiss any warnings that appear. In the Filter field, enter negotiate. Double-click the network. This preference lists the trusted sites for Kerberos authentication. In the dialog box, enter the Remedy Single Sign On domain, such as rsso. Click the OK button. Without knowing who is requesting an operation it is hard to decide whether the operation should be allowed. Weak authentication systems are authentication by assertion and assume that services and machines cannot be compromised or spoofed and that network traffic cannot be monitored.
Strong authentication systems that do not disclose secrets on the network and use encryption are becoming increasingly popular and important. All Informatics sites used to use weak authentication, where passwords for login and applications such as mail tools travelled in clear text from client to server across the network. This kind of weak authentication is very common and has been used for many years in most UNIX installations.
It is however completely unsuitable for authentication of users in un-trusted environments, which the increasing use of portable and self-managed machines is creating here.
Our requirement to combine the old user spaces from the pre-existing administrative domains into one single user space for the whole of Informatics means that new account management procedures have had to be developed, with a review of the security model.
The sharing of services by sites across networks not managed directly by us, and support for more intermittently connected and self-managed machines, means there is even more reason to move away from machine and network trust; and we can no longer realistically condone the continued use of weak authentication. Hence an alternative technology and infrastructure must be sought.
There is no real alternative to Kerberos for strong authentication, except through the use of a public key infrastructure PKI. However PKI is relatively new technology and there is little that is mature enough to be trusted let alone deployed and distributed as a supported production system. Free Email Threat Scan. Web Application Firewall. Free Web App Vulnerability Scan. Free Cloud Assessment Scan. Partner Portal Become a Partner. Channel Partners. Partner Login. About Us. Contact Us.
AWS Solutions. SaaS Solutions. Azure Solutions. On-premises Solutions. All Products A-Z. Contact Support. Product Login. Customer Support Login.
0コメント