In every organization, employees use many applications in their day to day life. E.g. Project Management, Leave management, IT support, Timesheet...etc. All applications may not be provided by one vendor. Each application has its own authentication mechanism. Each employee needs log into these applications daily. Redundancy of entering the same username password on a daily basis for all the internal applications by Employees can be eliminated by implementing the Kerberos Authentication. Using this Kerberos Authentication, we can authenticate the user automatically if that employee is in the same private network. Most of the organizations are using Windows operating system and Active Directory authentication for their Desktop/Laptops. Many application vendors are also supporting this Kerberos authentication.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
- It is secure: it never sends a password unless it is encrypted.
- Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
- The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
- It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.
Ref:https://msdn.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif
Manual testing
Once the application is implemented with this Kerberos authentication, then the user should be able to access the application without asking login credentials. The application should have an account with the same login name.
Open any browser and access the application. It should automatically provide the access to the application.
Sometimes it may not work this authentication, if the DNS server has any problems. Client machine should be able to ping the application hosted server machine and the same IP should be shown at server side if we execute the ipconfig command.
Enabling Kerberos Authentication in Firefox
Firefox does not automatically perform Kerberos authentication against any sites. You must manually add sites to a trusted sites list.
Enabling Kerberos Authentication in Firefox
Firefox does not automatically perform Kerberos authentication against any sites. You must manually add sites to a trusted sites list.
To enable Kerberos authentication in Firefox:
- Open Firefox and enter about:config in the address bar. Dismiss any warnings that appear.
- In the Filter field, enter negotiate.
- Double-click the network.negotiate-auth.trusted-uris preference.
- This preference lists the trusted sites for Kerberos authentication.
- In the dialog box, enter the domain, such as abc.com.
- Click the OK button.
The domain that you just entered in the network.negotiate-auth.trusted-uris should now appear in Value column. The setting takes effect immediately; you do not have to restart Firefox.
Testing using Fiddler
- Download and install the fiddler software at client machine, not at the server machine http://www.telerik.com/fiddler
- Start the fiddler. It automatically captures the traffic
- Access Kerberos Authentication enabled application in any browser E.g., Chrome
- Fiddler captures all requests and displays in left-hand pane
- Click on first successful(200) request
- Click on "Inspectors" tab, then "Request Headers" section -> Headers
- Look for the "Cookies/Login" section or "Security" Section
- If you see the Authorization token begin with “YII” then Kerberos is functioning, if you see “TlR” then Kerberos did not function
Kerberos Working
or
Kerberos not Working
No comments:
Post a Comment