The Java Authentication and Authorization Service
(JAAS) is used within the Kerberos subsystem to support Kerberos
authentication of user names and passwords. You may choose to use Kerberos
against an Active Directory server in preference to LDAP or NTLM as it
provides strong encryption without using SSL. It would still be possible to
export user registry information using a chained LDAP subsystem.
The disadvantages of using LDAP authentication against Active Directory compared with JAAS/Kerberos are:
- the simplest approach is to use the SIMPLE LDAP authentication protocol, which should be used with SSL
- AD requires special set up to use digest MD5 authentication (reversible encryption for passwords), which may be difficult retrospectively
- LDAP can use GSSAPI and Kerberos which would be equivalent but this is more difficult to configure and has not been tested
Note: If you are using a proxy (load balancer) with Kerberos authentication, either:
- Use the external authentication subsystem on SkyVault and set up the proxy to implement kerberos
- Set up the kerberos authentication subsystem on SkyVault and create the Service Principal Name (SPN) in Active Directory to include the proxy DNS name. With this option, the load balancer relays the negotiate headers to the SkyVault repository, but the client sees the proxy as a DNS name. You must set Active Directory to allow this by creating the SPN for the proxy.
For some scenarios on using Kerberos with a proxy, see Load Balancers and Kerberos.
For some pointers and background information on JAAS, the Java Authentication and Authorization Service, refer to the following web sites: