Kerberos v4 web authentication protocol example

This is meant to provide a brief overview of the protocol used by the Umich Kerberos v4 authentication browser plug-in and Apache server module. Non-essential headers have been omitted for clarity.


0. The server is authenticated to the client via SSL

Your standard SSL handshake and session establishment.
*Granted, this part isn't Kerberos, but we do the best we can with what we've got.


1. The client sends original request (or if it can, it starts at step 3)

GET /private/index.html HTTP/1.0
User-Agent: Lynx/2.7.1 libwww-FM/2.14
Host: lukyduk.ifs.umich.edu
Accept: */*
*For the plug-in, the User-Agent: is Mozilla (Netscape or MSIE).


2. The server returns an authentication challenge for access to this URL

HTTP/1.1 401 Authorization Required
Date: Wed, 04 Jun 1997 22:32:50 GMT
Server: Stronghold/2.0 Apache/1.2b10
Connection: close
WWW-Authenticate: KerberosV4 realm="www.lukyduk@UMICH.EDU"
Content-type: text/html
*If the request came from a plug-in capable browser, the challenge is returned in an <EMBED> tag in the accompanying HTML page (which prompts the client to load the plug-in). A client with the plug-in installed will not see this page at all (it is marked NOEMBED); a client without it will see the standard "Authorization required" page with instructions on how to get the plug-in.


3. The client then gets a ticket for the server, and resubmits the request with authentication credentials

GET /private/index.html HTTP/1.0
Host: lukyduk.ifs.umich.edu
Accept: */*
User-Agent: Lynx/2.7.1  libwww-FM/2.14
Authorization: KerberosV4 ticket="AQAAAGcEBgBVTUlDSC5FRFUAOCC/kPDnbl \
wHA9otfa68MK1onof75oRNm73FADa3UVqXv2aWtdZjPF8M2JZbr+bE8L/Rb+IcD7AuLL \
+kKnh6C8hvIqNmsAVy1fM21Bnk8MHtFHv0isoM8Noq" checksum="6482b0ff88cbb8 \
ad7125f9e1a9c187d2"
*The checksum field is the HMAC-MD5 of the request-URL's protection space /private/ using the Kerberos session key. The plug-in returns the credentials in a Cookie: header instead of an Authorization: header.


4. The server verifies the client credentials, and sends back the requested document

HTTP/1.1 200 OK
Date: Wed, 04 Jun 1997 23:09:32 GMT
Server: Stronghold/2.0 Apache/1.2b10
Content-Type: text/html
Last-Modified: Fri, 18 Apr 1997 08:09:42 GMT
Content-Length: 2025
*For plug-in clients, the credentials are sent back for use with images within the same directory (enforced by the HMAC-MD5) in a Set-Cookie: header. Subsequent accesses then begin at step 3, until the cookie expires (5 seconds) or the client requests a URL outside this protection space.


dugsong / dugsong@umich.edu / mtime: