Kerberos Single Sign-On

Kerberos is an authentication protocol that was originally developed at MIT as a means of providing mutual authentication. Microsoft first brought Kerberos to the masses when it was implemented as the default authentication mechanism in Windows 2000. Since then, Kerberos has solidified itself as the foundation for authentication in all Windows operating systems, as well as being freely distributed by MIT for additional use in both Windows and Unix-based operating systems.

Kerberos requires connectivity to a central Key Distribution Center (KDC). In Windows, each Active Directory Domain Controller (DC) acts as a KDC. Users authenticate themselves to services (e.g. web servers) by first authenticating to the DC, then requesting encrypted service tickets from the DC for the specific service they wish to use.

Only the service (and the DC) can decrypt the service ticket to get the user’s information. Because only the DC could have created the service ticket, the service knows that the user must have also authenticated to the DC so it can trust the user credentials in that ticket. More in-depth discussions of the Kerberos protocol are beyond the scope of this guide and can easily be found online.

With PortalGuard, users can login to their organization-supplied workstation (via Microsoft Active Directory) and then receive SSO directly to the PortalGuard server which in turn can provide SSO to other web applications with which it is federated using the Kerberos Single Sign-on protocol.

If you’re interested in more details on how Kerberos works be sure to check this article on our blog for more information.