[rt-users] Comprehension Question about LDAP and SSO
Michael Brown
mbrown at fensystems.co.uk
Thu Feb 24 05:33:23 EST 2011
On Thursday 24 Feb 2011 07:56:13 john s. wrote:
> So recap aggain :
>
> - Apache Server with an kerberos module ( which?)
mod_auth_kerb
> - configure RT for kerberosmodule for apache
> - and an entry in htacess for athentification with the AD
> - an browser entry to get access to rt-server ( work ip's adresses also?)
Kerberos will attempt a reverse DNS lookup on the IP address to determine
which principal name it should use for authenticating the server. (Kerberos
provides mutual authentication; it insists on verifying that the server is the
correct server as well as providing the users own credentials.) In practice,
you either need fully working forward and reverse DNS, or you need a fairly
deep understanding of how Kerberos works so you can figure out which bits of
DNS you could safely omit.
> How is this procedure called?... if i searching in the the net i only found
> methods to authentificate via kerberos without the windows logon.
> *confusing
A Windows Active Directory logon *is* a Kerberos logon, since AD uses
Kerberos. By logging on to an Active Directory domain, you already have
Kerberos credentials.
By configuring your web server and browser as I outlined previously, you can
instruct Windows to pass on these credentials to the web server transparently.
Everything will (eventually) appear to work magically. :)
Michael
More information about the rt-users
mailing list