I've been tasked with finding out how to do authentication with Kerberos certificates.
I've read through the usual list of articles:
The reason for pursuing this is as follows: a guest environment is planning to employ a virtualization tool on mobile devices, and the virtualization tool includes a web browser--which is to be given access through our proxy. None of this will have any meaningful access to active directory, and they don't want users to have to enter user name and password. So, there idea (as best I understand) is to have the devices get a Kerberos certificate and pass that to the proxy.
I've already been through the possibilities for client authentication using X.509 certificates, and that has been deemed unsuitable.
Note that a CA certificate as signer of these Kerberos certificates is to be applied to the proxy--as the configuration that tells the proxy which Kerberos certificates are to be permitted as representing an authenticated user.
So, is there much possibility of adapting the existing articles to create a configuration that would allow authentication to the proxy with Kerberos certificates in this manner?
Hi John, this makes zero sense to me.
"Kerberos" and "certificate" dont belong in the same proximity . I've never heard of a Kerberos Certificate.
Honestly what your describing sounds like X.509 authentication. This is pretty common with mobile device management (MDM) providers wanting to distribute certs to mobile devices. This way you can do authentication without prompting the users.
Was there any other background information that team gave?
Yeah, I'd already implemented X.509 certificate handling when they told me that would not do.
And, it all sounds too strange to me, but I'm not a Kerberos expert and don't know enough to say whether this is apples and oranges.
Kerberos works whereby the client gets a ticket from the KDC (in this case Active Directory). The ticket is just encrypted information like username, groups, timestamp, and more that the client and the service (in this case MWG) can decrypt. The client passes this ticket along to the service for authentication and authorization. The MWG is able to decrypt the ticket using the Keytab, this is what enables the MWG to have no connection to AD.
As this relates to you, since the clients dont have a connection to AD, Kerberos wont work -- this is common for mobile devices.
Did the team give a reason why X.509 authentication wouldnt work? Were you using the authentication server?
Perhaps a better solution might be to communicate with the network controller that authenticates the devices when they get on the network.
I finally got a full explanation of what was being asked for. The proxy side is just Kerberos starting with an AS-REQ. The certificate they were talking about is nothing more than the client authentication to the Kerberos KDC. So, there was never any expectation that a certificate was going to be passed to the proxy as part of the Kerberos protocol.