Res: Freeradius kerberos

Thiago Gonzaga B. Galvão thiagobandinha at
Fri Jul 9 16:17:30 CEST 2010

So, anyone have any ideas how to get the TGT to make de single sign-on that I 

De: John Dennis <jdennis at>
Para: FreeRadius users mailing list <freeradius-users at>
Cc: Thiago Gonzaga B. Galvão <thiagobandinha at>
Enviadas: Quinta-feira, 8 de Julho de 2010 10:56:42
Assunto: Re: Freeradius kerberos

On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
> Hi guys,
> I have the following situation on my network...
> I have an Openldap server working as well, and it stores all my users
> informations...
> I configure a Kerberos server to use this openldap as a backend...
> We would like to implement an Single Sign On to our "web intranet" using
> kerberos tickets...
> The user will authenticates onto a freeradius server, it will refer to
> external source kerberos, and kerberos will be configured with openldap
> backend (the openldap server that i have).
> Is it possible??? Instead of freeradius directly authenticates to ldap,
> it would pass by kerberos, and kerberos communicates with openldap... if
> userame/passwork ok, the user will be authenticated and receive a
> kerberos's ticket...

That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT (ticket 
granting ticket) on behalf of the user using the supplied password. If the TGT 
request succeeds FreeRADIUS considers that a successful authentication. The 
problem is the TGT, which is *necessary* for single signon (software on behalf 
of the user supplies the TGT when necessary) is not available because it's not 
returned in the radius protocol. The TGT obtained by FreeRADIUS on behalf of the 
user is effectively thrown away and is not available for further use.

-- John Dennis <jdennis at>

Looking to carve out IT costs?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list