How to authenticate users in Active Directory using AuthType.Kerberos?

Question

Could anyone please share any thought on authenticating Active Directory users using the AuthType.Kerberos method.

Ideally, I would like to pass the Username and Password to validate the user credentials using the AuthType.Kerberos method

This type of validation uses LDAP connection (LdapConnection)

Any comments or feedback will be very appreciated.

Cheers! :)

Answer 1

Kerberos doesnt use a username and password in the sense you are talking about here, it uses a ticket based auth system with a central server. Kerberos is quite complicated to implement and is normally only used in cases where you want to do double hop authentication with the logged in user. This means the application wants to use the credentials of the user who has logged in to access a secondry system. For example if you have a SharePoint site which pulls data from exchange server you may want to pass the currently logged in users details from sharepoint to exchange. This is normally done with Kerberos and Constrained Delegation.

In reality what you probably want for your application is Windows authentication (NTLM) which allows the application to authenticate domain users, (However again in the common case this doesnt use a username and password at your application level either).

===EDIT===

To implement kerberos with a .Net webapp you will need to do the following

• Enable Constrained delegation for the app pool http://blogs.msdn.com/b/dotnetremoting/archive/2006/07/06/662599.aspx
• Setup SPN's for your site http://support.microsoft.com/kb/929650
• Setup your code to use kerberos when you call the remote service, this is basically just setting the protocol. You dont need to actually send the username or password

This article has some good advice around how to troubleshoot problems with the system http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx