Pass through authentication (AKA the end of kerberos?)

20 Apr

K2 released pass through authentication in 1290 (the version, not the year) and many people are hailing it’s coming as the end of Kerberos trouble. In many ways they are correct, but not all. This is a VERY brief outline of what pass througth authentication is (and isn’t) which will hopefully let you decide if this is something you need to consider in your environment.

Kerberos, as I’m sure you know, is a black art which is only understood by a select group of monks who live in complete isolation and probably charge ridiculous consulting rates. For the rest of us, we have to make do with hours (or days) of fighting with Kerberos before we get a fully working architecture. In simple terms, when you make a call from one server to another your credentials are passed on to the next server so that the next server knows who you are. For example, if a user (named James) makes a request which hits your web server and your web server needs to make a call to your application server, this works just fine because your application server knows the call originated with James. However the default way of passing these credentials on (NTLM) only passes them on for 1 ‘hop’. In the example I gave, if the application server needed to make a call to a database server the database server wouldn’t have a clue who you the call originated with, and instead of the caller being identified as James the caller would be anonymous. Kerberos solves this issue by allowing your credentials to be passed along as many hops as you like.

K2’s pass through authentication lets you bypass the need for Kerberos by basically doing the following:

  1. User makes a call to the web server which in turn makes a call to the K2 server.
  2. The K2 server needs to make a call to the database. However, when it does the database server identifies the user as ‘anonymous’.
  3. K2 realises that Kerberos isn’t enabled, so it tells the database server who the user is and then makes the call again, and voila – no more anonymous user.

This is great, but you need to realise that this only works for servers which have k2 components on them. If there are 2 hops anywhere in the call stack and there are no K2 components, then pass through authentication will (obviously) not work and you’ll need to have Kerveros enabled anyway.

I have confirmed that this extra bit of handshaking will only happen when you’re opening a connection – once the connection is open there’s no extra chatter to slow things down.

p.s. a hop is actually across a security boundary, not just across a server, but for the sake of illustration it makes sense to call a server a hop.


Posted by on April 20, 2011 in Extending K2, Security


2 Responses to Pass through authentication (AKA the end of kerberos?)

  1. Gabriel

    April 29, 2011 at 10:59 am

    A very handy overview of what pass through authentication really is. It is important to note that Kerberos remains the best way to implement integrated authentication across multiple systems.

    • Trent Jacobs

      April 29, 2011 at 2:21 pm

      Agreed – thanks for the comment. I don’t think we will see the back end of Kerberos for a long time, but it’s nice to know that in some situations there’s an alternative. Would I use pass through authentication as an alternative to Kerberos in an enterprise solution? Probably not, because as you say, kerberos is still the best (only?) way to implement integrated authentication across multiple systems.


Leave a Reply

Your email address will not be published. Required fields are marked *