Kerberos is an authentication protocol used for single sign-on in intranets. With Kerberos, a Key Distribution Center (KDC) distributes encrypted tickets and session keys to users and services for use in communication with one another. The encryption used is based on a shared secret, such as a password. The session keys permits messages to be encrypted and decrypted.
With single sign-on, a user does not need to use the same password for authentication to various services in the network, does not need to share a separate password with each service in the network, and does not have to enter his password more than once. Rather, the encrypted ticket and session key acquired by the user are used to authenticate the user and to encrypt and decrypt messages.
Originally, Kerberos has been a password-based authentication service. Work is being done to standardize a framework for using more flexible authentication mechanisms for Kerberos initial authentication. However, Kerberos is not easily implemented in some directory services which use connection-based authentication services that provide secure channels for authentication mechanisms to exchange data. It is difficult to tunnel exchanges for such authentication services through a Kerberos KDC, as the authentication services may use various sequences of multiple authentication mechanisms.
The Kerberos specification has been updated in rfc4120; and Section 7.2.2 of rfc4120 refers to using TCP transport for Kerberos requests, indicating that the KDC may close the TCP stream after sending a response, but may leave the stream open for a reasonable period of time if it expects a follow-up. Exchanges for an authentication service could be tunneled through a Kerberos KDC if the authentication service maintains state, and a transport layer is added for the authentication service.
Novell Modular Authentication Service (NMAS) has the following layers: Transmission Control Protocol (TCP) or Internetwork Packet Exchange (IPX); Network Core Protocol (NCP); and Multi-Authentication Framework (MAF) exchanges. If NMAS exchanges have to be tunneled through Kerberos KDC exchanges, a new Kerberos-based transport layer needs to be added to NMAS for the exchange of NMAS protocol data in Kerberos protocol packets. Authentication services that use SSL for securing its exchanges with the user also will have to support a new transport layer. However, the addition of a new transport layer is complex to implement. Additionally, existing Kerberos KDC implementations do not support multiple rounds of communication. As such, tunneling exchanges of an external authentication service through Kerberos exchanges would require major design changes to existing KDC implementations.