locked
Kerberos and forms-based authentication RRS feed

  • Question

  • Hi,

    Is it possible to implement Kerberos authentication through a login form, rather than through Windows integrated authentication?

    We have a Sharepoint 2010 product that provides 2-factor authentication. It requires claims-based authentication and forms-based login. However, our customer requires that users are authenticated via Kerberos. Given that users enters their AD username and password in the form, is there any way to get the relevant Kerberos token through server-side code in the login validation?

    Thanks

    Robin Withey

    Swivel Secure Ltd.


    Robin Withey Swivel Secure Ltd.
    Tuesday, March 1, 2011 10:19 AM

Answers

  • This isn't possible unless you deploy TMG or UAG which can delegate windows authentication.
    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    • Proposed as answer by Chris Geier Tuesday, March 1, 2011 2:01 PM
    • Marked as answer by Swivel Secure Tuesday, March 1, 2011 2:23 PM
    Tuesday, March 1, 2011 1:59 PM

All replies

  • This isn't possible unless you deploy TMG or UAG which can delegate windows authentication.
    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    • Proposed as answer by Chris Geier Tuesday, March 1, 2011 2:01 PM
    • Marked as answer by Swivel Secure Tuesday, March 1, 2011 2:23 PM
    Tuesday, March 1, 2011 1:59 PM
  • Thanks, Spencer,

    That's what I thought. Unfortunately, they are not prepared to use TMG, ISA Server or UAG.

    Is there some technical reason why this is not possible, given that it can be done via TMG etc? Can we not simulate how TMG does it? That uses forms-based authentication. Or would that require a separate front-end server?

    I need to be able to justify my assertion that it's not possible, since the customer is adamant that Kerberos authentication is required, and our solution cannot work with Windows authentication, as a secondary password is required.


    Robin Withey Swivel Secure Ltd.
    Tuesday, March 1, 2011 2:07 PM
  • When you use FBA against AD, you are just doing an LDAP bind to perform authentication. This is not Windows Authentication and thus does and can not participate in Kerberos.

    To "simulate" the functionality of TMG etc you would need to license the windows authentication protocol and effectively rebuild that solution. This simply isn't viable.

    Your customer requirements are invalid! If they need kerberos, then you need windows authentication, it's that simple. You could look at another third party kerberos subsystem, but then you would have to build a trusted identity provider for that.


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    Tuesday, March 1, 2011 2:20 PM
  • OK, thanks for your input.
    Robin Withey Swivel Secure Ltd.
    Tuesday, March 1, 2011 2:27 PM