Every time users log into a service by providing their credentials, they are potentially exposed to attacks, especially if they’re using unsafe network protocols. For instance, an attacker could use a simple packet sniffer to recover your user ID and password especially if they’re not encrypted. Show What does this mean? Every time I provide my credentials to a service, should I be afraid that they could be stolen? Potentially—however, there are many precautions that we should consider when accessing a service over the internet like:
To address potential insecurity when using authentication, new safe protocols have been created and one of them is Kerberos. What is Kerberos?Kerberos is the mythological three-headed Greek creature which is guarding the gates of underworld to prevent souls from escaping. With that as its inspiration, the Massachusetts Institute of Technology developed a protocol to protect its own projects in the late 1980s. The idea behind Kerberos is simple: authenticating users while avoiding sending passwords over the internet. This protocol can be easily adopted even on insecure networks as it is based on a strong cryptography and it’s developed on a client-server model. Enabling a service to use Kerberos authentication is referred to as making the service “Kerberos aware”. This is actually possible for the majority of software. How Kerberos WorksWhen authenticating, Kerberos uses symmetric encryption and a trusted third party which is called a Key Distribution Center (KDC). At the moment of the authentication, Kerberos stores a specific ticket for that session on the user’s machine and any Kerberos aware service will look for this ticket instead of prompting the user to authenticate through a password. Source: BMC SoftwareThese are the steps in Kerberos Authentication:
Kerberos integration is also supported by Remedy Single Sign On which is the main authentication module that is used for a great number of BMC products. In Remedy Single Sign On, it is possible to configure a Kerberos as the authentication service. In this case, Remedy Single Sign On validates the token that is sent from a client (e.g., a browser to give access to BMC Digital Workplace) together with a KDC and lets the user log into the application using her/his Windows credential. Advantages & disadvantages of KerberosLike many technical solutions, Kerberos has advantages as well as some weaknesses. The principal advantages in adopting Kerberos as an authentication service are:
The weaknesses of Kerberos are:
Installing & using KerberosWhen using Kerberos authentication in Remedy Single Sign On, you need to remember to enable Kerberos authentication for the browsers you’re using. It is not always enabled by default. Here’s how to do that for two commonly used web browsers. For Internet Explorer:
For Firefox:
As you can see, Kerberos provides another way to authenticate that thwarts bad actors who hope to steal passwords. Even further, it can be effectively utilized with applications that are Kerberos aware. While there are some downsides, it’s another tool to make single-sign-on run smoothly while keeping passwords safe. If you would like to utilize Kerberos with your BMC Remedy Single Sign On, please fill out our form and an expert will reach out to get you started. Which type of authentication does Kerberos provide?Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities.
What is meant by Kerberos authentication?Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC).
Is Kerberos multi factor authentication?Kerberos supports multifactor authentication (MFA). NTLM gives the user's client no way to validate the identity of the server it's authenticating to, but Kerberos provides mutual authentication.
What are the types of Kerberos?Kerberos Encryption Types. des-cbc-md5.. des-cbc-crc.. des3-cbc-sha1-kd.. arcfour-hmac-md5.. arcfour-hmac-md5-exp.. aes128-cts-hmac-sha1-96.. aes256-cts-hmac-sha1-96.. |