Kerberos Interoperability and SSO authentication
Hi,
I'm implementing SSO interoperability between a microsoft platform and a java platform usin Kerberos V5. I have a java program (a web service) that needs authentication to be executed and a microsoft program elsewhere that has previously authenticated against AD and wants to access functionality of the java program.
Here is the solution I'm taking?br>
1) The microsoft program will use GSSAPI (in fact SSPI) to initialize a security context and create a Kerberos token that will send to the java web service. The security context will request for no mutual authentication so as not to need tokens from de java web service. (According to the documentation included in the java SDK initializing a GSSAPI context for Kerberos with no mutual authentication requires only one step)
2) The java web service will use GSSAPI to accept a security context from the token received. If no exceptions are throw I will assume that the caller has been previously authenticated successfully and then It will have access to the web service functionality.
Here the questions?br>
1 ?Is this approach correct?
2 ?The client don't request for mutual authentication. Does this represent a serious security mismatch?
3 ?A better approach will be to use credential delegation on the client side?
4 ?If the client uses SPNEGO to generate a token, that token will be acceptable in the GSSAPI context on the server?
Thanks a lot,
Jose
