Comment by baq
5 days ago
the fact that we have to keep reinventing kerberos all the time because it doesn't speak http is starting to legitimately annoy me.
5 days ago
the fact that we have to keep reinventing kerberos all the time because it doesn't speak http is starting to legitimately annoy me.
Firefox can be configured to use Kerberos for authentication (search for "Configuring Firefox to use Kerberos for SSO"); on Windows, Chrome is supposed to do so too by adding the domain as an intranet zone.
HTTP auth can work with kerberos.
Chrome, Firefox, Internet Explorer -- all support some form of kerberos auth in HTTP/HTTPS.
I mean, I'm aware of SPNEGO etc. It's just that it was... ignored(?) by the startups/the community/google? Whatever little support there is is comparatively a worse experience than what we've got now for no really good reason.
Kerberos is old neckbeard tech, highly complex to set up, with layers upon layers of legacy garbage. Trying to get it working is ... a nightmare, I prefer even the garbagefest that is Keycloak over dealing with Kerberos. At least that just requires somewhat working DNS and doesn't barf when encountering VPNs, split horizon DNS or split tunnels.
The only places I've seen a working Kerberos setup outside of homelabs is universities (who can just throw endless amounts of free student labor power onto solving any IT problem) and large governments and international megacorps.