Users increasingly store sensitive data electronically, utilizing various network security protocols, such as the Kerberos authentication protocol. Such protocols can supply network authentication using “tickets” that allow nodes to communicate over a non-secure network to authenticate themselves in a secure manner. Some protocols are aimed primarily at a client-server model, and provide for mutual authentication. Thus, the identities of both the user and the server are verified using such protocols. Various protocols may require a trusted third party, such as a Key Distribution Center (KDC). A KDC typically comprises two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). The KDC maintains a database of secret keys. Each entity on the network (e.g., clients, servers, etc.) has a secret key that is known only to itself and the KDC. When two entities on a network communicate, the KDC generates a session key that can be used to secure interactions between the entities.
Challenges may arise when using a web login page to front a Kerberos integrated component where the source code cannot be modified, such as for a virtualized desktop service or an instance accepting only credential based login. Typically, an unmodified component expects a credential (e.g., a password) to be entered rather than a Kerberos ticket to be presented. Exposing a user password to multiple components of a distributed system presents many security problems, such as the misrouting of data comprising a password.