5.4. Kerberos Protocol Provider has been edited by Emmanuel Lécharny (Dec 05, 2008).

(View changes)

Work in progress

This site is in the process of being reviewed and updated.


The Kerberos provider for Apache Directory implements RFC 1510, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos' true strength is in authenticating users without ever sending their password over the network. Kerberos is designed for use on open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.

Kerberos is named for the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.

The Apache Directory Kerberos provider is implemented as a protocol-provider plugin. As a plugin, the Kerberos provider leverages Apache Directory's MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.

The Kerberos provider for Apache Directory, in conjunction with MINA and the Apache Directory store, provides an easy-to-use yet fully-featured network authentication service. As implemented within the Apache Directory, the Kerberos provder will provide:

  • Authentication service (RFC 1510)
  • Ticket-granting service (RFC 1510)
  • Pre-authentication support (RFC 1510)
  • DES encryption systems (RFC 1510)
  • Triple-DES (DES3) encryption systems
  • UDP and TCP Support (MINA)
  • Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi

More Information

For help with Kerberos client configurations, check out our Interoperability Guide.


Kerberos Articles

Microsoft Interoperability


Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences