All Categories
  • Authentication
  • Branding
  • Changelogs
  • Collaboration
  • Compliance
  • Customization
  • Desktop Client
  • External Storage
  • Frequently Asked Questions
  • Installation
  • Nextcloud Talk
  • Operations
  • Partner Products
  • Roundcubemail
  • Scalability
  • Security
  • How To Authenticate via Kerberos

    About Kerberos

    Kerberos is a trusted service for mutual authentication with single sign-on. To achieve this, Kerberos pursues several goals and attempts to improve security and convenience at the same time. One of these goals is the centralization of authentication on a server or a network of servers. Kerberos works via so-called Key Distribution Centers (KDC). These KDCs contain databases with the user names and passwords for the users and the services using Kerberos. For authentication, Kerberos creates encrypted tickets from the required data, which are used to prove identity at the point of contact.

    Configuration Options

    To create the tickets and then be able to use them for all services, there are basically the following three configuration options:

    Unconstrained delegation

    In the case of unconstrained delegation, the KDC creates a ticket with the rights assigned to it at the request of a user. This ticket is valid for all services that allow Kerberos authentication or offers the option of issuing new tickets. The security risk can already be seen here: as soon as a user account has been compromised, the attacker has the opportunity to issue tickets for all service authorizations associated with the KDC. The higher the rights of the compromised account, the higher the attack surface.

    Constrained delegation

    Constrained delegation was introduced due to the security problems associated with unconstrained delegation. This basically works in the same way as the unconstrained variant. The difference here, however, is that the services for which the server is allowed to issue tickets can be restricted. In the event of a compromise, this ensures that the attacker is restricted in their choice of targets.

    Resource-based constrained delegation

    Resource-based constrained delegation further extends the function of constrained delegation. It makes it possible to use constrained delegation across domains and thus provide the Kerberos infrastructure for cross-domain solutions without having to familiarize the service.

    Recommendation