Kerberos has been the de-facto industry standard for Single-Sign-On for many years but not yet been widely adapted for intranet/web-applications. Firefox supports GSSAPI (on Linux/Unix and Windows - using
MIT Kerberos for Windows (KfW)) and SSPI (Windows) for Kerberos authentication quite a while, usable since version 1.5.
Because Microsoft also uses NTLM for SSO purposes they invented a GSSAPI pseudo-mechanism named
SPNEGO to do negotiating of which of the protocols to use - fortunately MIT kerberbos (since version 1.5) supports SPNEGO (thanks to SUN donating a implementation) so we can use MITs GSSAPI library for the server side. SPNEGO is yet only supported on Linux platforms (KfW 3.1 includes a krb library of version 1.4.5 - 3.2 which is currently in beta status will have 1.6+) but at least Mozilla will automatically fall back to plain kerberos authentication which in case of a MIT server side will perfectly work.
Update: KfW 3.2 has been released today - SPNEGO now works on Windows.
I have not yet had a chance to experiment in a SSPI environment and there are rumors about Microsoft not implementing their own protocol (SPNEGO) correctly, so I cannot really say whether it is compatible.
There is a (not yet standardized)
extension to the HTTP/1.1 specification which specifies the "HTTP negotiate" authentication method. We try to use it for SSO on web-applications and web-resources.
I wrote a
PHP extension which gives server side support for this kind of authentication. Continue reading for directions on how to use it...
Continue reading "Doing GSS/Negotiate SSO using Mozilla Firefox, MIT Kerberos and PHP" »
