You are here

Configuring Kerberos

The Java Authentication and Authorization Service (JAAS) is used within the Kerberos subsystem to support Kerberos authentication of user names and passwords. You can choose to use Kerberos against an Active Directory server in preference to LDAP or NTLM as it provides strong encryption without using SSL. It would still be possible to export user registry information using a chained LDAP subsystem.

The disadvantages of using LDAP authentication against Active Directory compared with JAAS/Kerberos are:

  • the simplest approach is to use the SIMPLE LDAP authentication protocol, which should be used with SSL
  • AD requires special set up to use digest MD5 authentication (reversible encryption for passwords), which might be difficult retrospectively
  • LDAP can use GSSAPI and Kerberos which would be equivalent but this is more difficult to configure and has not been tested
Note: If you are using a proxy (load balancer) with Kerberos authentication, either:
  • Use the external authentication subsystem and set up the proxy to implement kerberos
  • Set up the kerberos authentication subsystem and create the Service Principal Name (SPN) in Active Directory to include the proxy DNS name. With this option, the load balancer relays the negotiate headers to the repository, but the client sees the proxy as a DNS name. You must set Active Directory to allow this by creating the SPN for the proxy.

For some scenarios on using Kerberos with a proxy, see Load Balancers and Kerberos.

For some pointers and background information on JAAS, the Java Authentication and Authorization Service, refer to the following web sites: