Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Confused with SSO and Kerberos

  Asked By: Camille    Date: Apr 26    Category: Sharepoint    Views: 1695

We are doing some up-front planning and have a few questions with regard to when
each authentication method is used:

1. When do you use SSO as opposed to Kerberos?
2. When do you use Kerberos as opposed to SSO?
3. When do you use both together?



3 Answers Found

Answer #1    Answered By: Harvey Blankenship     Answered On: Apr 26

SSO is a credential cache - it is agnostic as to the system which will
ultimately consume the credentials, and the credentials don't need to be a
1:1 mapping with users.

Kerberos (at least in the Windows world) is used to make Windows credential
security better and allows for "hop" scenarios where a user's credentials
are passed from server to server.

SSO is useful for custom apps and for connecting to backend systems where
Windows authentication  is not an option or a 1:1 credential map is not

Kerberos is useful for things like the RSS feed web part where
authentication is a Windows user but needs to pass through one or more
intermediate servers.

Answer #2    Answered By: Xiomara Blanchard     Answered On: Apr 26

These are a few big topics so I'll try to break them down a bit.

SSO comes in two flavors in SharePoint
SSO into SharePoint - users sign into sharepoint from a foreign directory.
An example would be using ADFS or something else.

SSO out of SharePoint into something else - this enables users to store
passwords to automatically sign them into other applications, requires yet
another database and encryption keys
Kerberos is a ticketing system that will only work within a windows domain
(it may work across a forest but I'm not sure). A use gets a login ticket
from the domain controller and uses that to sign into sharepoint (only if
the appropriate url is within the trusted site list with IE). kerberos  is
the perfered way for within organization boundaries. In this case, code and
components can be executed as if they were directly ran by the user, i.e.
the component impersonates the user using the ticket.
Kerberos can also be used internally for different sharepoint components.
Kerberos protocols operate outside the normal boundaries of http ports and
therefore is generally not useable over the internet due to firewall

1. When do you use SSO as opposed to Kerberos?
when you have a user base at another facility that you wish to access the
system over the internet
2. When do you use Kerberos as opposed to SSO?
kerberos is great for internal usage and when everything is located within
the same windows domain

3. When do you use both together?
You can use kerberos for local users on one site, then extend that site for
public internate facing sites for SSO users to authenticate to.

Answer #3    Answered By: Rosemarie Cervantes     Answered On: Apr 26

SSO is a system to securely store credentials for other systems that can be
retrieved by a user who is authenticated to one system like SharePoint.

Kerberos is an authentication  mechanism that is a standard recognized by many
different types of systems. A centralized Kerberos system could therefore be
used to log on to multiple systems with a single set of credentials.

Didn't find what you were looking for? Find more on Confused with SSO and Kerberos Or get search suggestion and latest updates.