Use of Kerberos credentials

Kerberos-delegated credentials are one of the token types that are provided by the Federation Runtime. Kerberos credentials generated by Federation Runtime for single sign-on provides some advantages over traditional Asset Manager single sign-on mechanisms. Advantages of using Kerberos credentials over traditional single sign-on mechanisms:

• Kerberos credentials are easily used by ASP.NET Web applications without requiring special code to be deployed.
• Kerberos credentials can be forwarded across applications and maintain a cryptographic signature, providing stronger security.

There are some limitations to using Kerberos credentials as a solution for single signon to junctions in WebSEAL. The Federation Runtime must be running on a Windows system. Also, depending on the configuration of the environment, the introduction of a Kerberos single sign-on solution for junctioned servers slows down performance. Each Kerberos token is valid only for a single Kerberos authentication. Therefore, WebSEAL must request a new Kerberos token for each separate transaction. The fact that WebSEAL must request tokens indirectly, through a SOAP request to the Federation Runtime, can also diminish performance. This solution has the least negative effect on performance in an environment where the junctioned web server can maintain session state. Because Kerberos tokens are designed for one-time use only, WebSEAL provides the following features that help minimize performance issues:

• Configurable option to retrieve SSO tokens only if a 401 (authorization required) response is received from the back-end web server. If the back-end server can maintain session state, WebSEAL does not retrieve Kerberos tokens unnecessarily. Use the always-send-tokens option in the [tfimsso:<jct-id>] stanza. Use the option to specify:
  • Whether a security token must be sent for every HTTP request, or

  • If WebSEAL must wait for a 401 response, before the token request

• Multiple SSO tokens are requested from the Federation Runtime in the same SOAP request, with the WS-Trust web service specification. Use the token-collection-size option in the [tfimsso:<jct-id>] stanza to specify the number of tokens to retrieve from the Federation Runtime. The tokens are cached in the user's session and used on subsequent requests; WebSEAL requests more tokens from the Federation Runtime only after all of the cached tokens are used or expired.

Parent topic: Single sign-on with the Security Token Service