Re: Cannot Create A Web Site
am 04.04.2008 20:02:55 von Le Chaud LapinOn Apr 4, 12:16=A0pm, "Ken Schaefer"
wrote:
> "Le Chaud Lapin"
-46be-8b97-35f4f07dfdc4@a23g2000hsc.googlegroups.com...
> On Apr 2, 9:29 pm, "Ken Schaefer"
> wrote:
>
>
>
>
>
> >> Microsoft has an enormously simple Kerberos implementation. You just
> >> install
> >> AD. You add your machines to the domain. And away you go. Everything is=
> >> taken care of for you. It works for hundreds of millions of machines wi=
th
> >> most people not have any idea that its even there. The total number of
> >> other
> >> non-Windows Keberos implementations are probably just a rounding error.=
>
> > As I mentioned, I did study Kerberos in sufficient detail not long
> > after it was out, and as I recall, there are certain things about it
> > that are not going to me made less complex not matter what the
> > "implementation." The model itself is complex.
>
> > In any case, I think a quick visit to the Kerberos USENET group will
> >reveal that there are people there with 20+ software engineering
> > experience, engineering knowledge of cryptographic primitives, strong
> > practical knowledge of computer networking, and general knowledge of
> > programming...and they still ask questions and wait several days for
> > the right answer. =A0Do you call that "enormously simple"?
>
> It is enormously simple because there are hundreds of millions of computer=
s
> (and users) out there, right now, authenticating with Kerberos and no one
> has to do anything to make it work.
Certainly, you don't actually believe this.
I gave this link:
http://www.oreilly.com/catalog/kerberos/reviews.html#
Is that characterization incorrect?
> I work for a global consulting company. We've probably designed ADs for
> several million, if not tens of millions, of users by now in the enterpris=
e
> space (you can go look up my details on the web). It just works.
>
> I'd like to think I know a reasonable amount about how Kerberos works too:=
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/ 8460.aspx
>
> The problem with *other* kerberos systems is exactly poor implementation.
> Microsoft makes everything "just work" out of the box. Other systems are
> mostly a PITA.
>
> > Maybe the author and I and all those frustrated people in the Kerberos
> > group have different ideas of what is "enormously simple" than you.
>
> I said that the Microsoft implementation is "enormously simple". And i hav=
e
> the practical experience of years of AD
> design/implementation/troubleshooting to back that up. Your googling for
> other random problems that people are having is, well, mostly irrelevant.
Random people having problems. Hmmm..
> > .I have only been doing research in PKI for over a decade now, and
> > PKI, if done right, is =A0a *lot* simpler than these other systems.
>
> No. Not really.
>
> Microsoft makes PKI simple(r) in a domain as well. Machines and Users are
> auto-enrolled for certificates for common functions (like machine/user
> authentication, IPSec, EFS). But admins still need to configure a vast arr=
ay
> of stuff (who can auto-enroll), where are you going to publish revokation,=
> how are you going to secure your root CA certs, what are the processes
> around managing that.
I'll be sure to add you to the reviewer's list when I publish my work
next year.
> On the other hand, Kerberos just works. krbtgt is created for you, AS/TGT
> works out of the box. Auto-renewal of TGT happens under the covers. SPNs a=
re
> auto-registered by most setup applications. It just "works" with no real
> configuration required by anyone.
I'm sorry, I simply don't believe you. As I mentioned, I just spent
167 hours trying to get IIS 7.0 to work in its "out-of-box"
configuration, and I understand the technical funadmentals of
Kerberos, and I have copious amounts of evidence from other skilled
engineers besides yourself who have trouble setting up not only
Kerberos, but Active Directory too on Windows. The evidence from my
point of view overwhelmingly points toward not-as-simple-as-you-say.
> > If I get to login once on my PC, and never
> > have to enter another username/password combination _anywhere_, not
> > for WebDAV, not for Network Neighborhood, not for SQL Server, Not for
> > IIS, or any website,...well then...then you know you've found a quasi-
> > terminal solution to the problem.
>
> You can set this up easily enough:
> a) IE can be configured to send your credentials automatically to websites=
> (in fact, it does by default for sites in the Intranet security zone). You=
> can use Group Policy to add all your internal sites to the Intranet zone f=
or
> users in your domain
I was thinking of something a little more theoretically fundamental,
where I would not have to specify a username/password on a website.
It would have to work just as well for the senior citizens in my
family too (my criteria).
> b) SQL Server supports Windows Authentication. You can transparently logon=
> using your current Windows credentials
Hmm...
> c) Active Directory domains allow you to use a single Windows
> username/password to access both your machine, and CIFS/SMB shares.
Hmm again.
> It's all there. If it's not working for you, then you haven't got it setup=
> right.
>
> As mentioned before - your lack of understanding does not mean that the
> system is "a mess". The proof is that many millions of users in
> organisations large and small have this working just fine already.
The next time anyone says, "We really need to fix this...", i'm going
to take this last paragraph out of my wallet and say,
"Wrong! Look at this:"
-Le Chaud Lapin-