Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Interplay of Kerberos authentication and reverse proxies

Tags:

reverse-proxy

web-services

kerberos

I need to gain some high-level understanding about the interplay of reverse proxies and the Kerberos protocol.

Assume I have a web service and a client, which are already implemented and working. Now we put the web service into a network behind a reverse proxy. The internal authentication in the network behind the reverse proxy is based on Kerberos.

Now I would like to know whether this new infrastructure would make some programmatical changes on the web service side and on the client side necessary? This depends on

  1. whether the reverse proxy will act as a client in this intranet using its own tickets
  2. or whether the outside client has to be aware of this additional authentication layer and has to be able to request tickets by itself

What is the state of the art in such situations?

Thanks in advance!

like image 298
Dr. Christian Müller Avatar asked Nov 23 '12 09:11

Dr. Christian Müller

People also ask

Does reverse proxy do authentication?

Reverse Proxy: Specifies which proxy service is used for authentication. If you have configured only one proxy service, only one appears in the list and it is selected. If you change the reverse proxy that is used for authentication, certificates must be updated to match this new configuration.

What is the Kerberos authentication mechanism how is it implemented?

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.

Is Kerberos third party?

Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. The main components of Kerberos are: Authentication Server (AS):

What are Kerberos?

Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.

1 Answers

I think I found the answer. Constrained delegation is the feature of the Kerberos protocol I expected to exist.

If we use SSL/TLS with mutual certificate based authentication, then the client will be authenticated by the proxy, who validates client's certificate by a local CA (within the hidden intranet). Afterwards, the proxy will generate Kerberos tickets on behalf of the already authenticated client.

At the server side, the ticket validation should happen at the runtime level (e.g., by IIS).

Hence, if the client is able to consume the service through SSL/TLS, then the Kerberos authentication remains fully transparent for client and the server.

like image 97
Dr. Christian Müller Avatar answered Oct 03 '22 14:10

Dr. Christian Müller
Sign in to Comment

Related questions

Axis2 - always getting 404 errors
JAX-WS endpoint only partially escaping XML String
Get JSON data with jQuery from a .NET service: confused with ajax setup
How to authenticate restful web service using oAuth
Presenting missing values as null or not at all in JSON
Connecting SAP to remote webservices using cURL
How to give access to WCF web service hosted on IIS only for specific users?
Integer value is lost in web service call
Return JSON from ASMX web service, without XML wrapper?
Multisite application with single sign in across domains in Rails?
"Exception javax.xml.ws.WebServiceException: Unsupported endpoint address" trying to call web service using JAX-WS 2.1
How many custom MIME types in a RESTful web API?
Check if a webservice exists
WebService behind reverse proxy
Difference between WS Security Mechanisms
Glassfish port unification causes web service deployment exception
fcgi vs mod_fastcgi on apache server
Excel doc contents to webservice
Is it possible to programmatically submit an assignment to Blackboard using Blackboard WebServices
Advice on using separate controllers for a REST API or not?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!