Looking at kerberos authentication in iOS7

Our recent survey into areas where we could improve mobile support for our services indicated “authentication” as such an area, specifically “allowing mobile users to use authentication mechanisms such as kerberos to access secure School services”.

I investigated how we could improve authentication for Apple iOS devices, specifically concentrating on iOS 7, as it introduced a new feature called “Enterprise Single-Sign-On (SSO)”. This essentially adds client support for SPNEGO/Kerberos web authentication, so that web sites protected by, e.g. HTTP-Negotiate, will not repeatedly prompt users for authentication.

This works on iOS by first manually-creating an XML configuration profile, as described here and here. This profile should then be installed on an iOS mobile device. I created a similar profile for Informatics and installed it on an iPad. This does appear to work as intended – I was prompted only once for a username and password on visiting SPNEGO-protected sites.

In Informatics, we use SPNEGO in our Cosign infrastructure so that users who have already authenticated to kerberos will not have to authenticate again to access cosign-protected web sites. Users who have no kerberos credentials (or who haven’t configured their web-browsers) have to authenticate once by entering their username and password into a web form. This means we already have single (or reduced) sign-on for authenticated web access. The new SSO support in iOS doesn’t really help us in any meaningful way – the only benefit it would offer is that the user, on visiting weblogin.inf.ed.ac.uk, will be prompted for a username/password with an iOS7 native dialog box, rather than authenticating via a web-form. This isn’t worth the complexity of installing a configuration profile on a mobile device.

I also looked into whether any of the various iOS SSH clients supported kerberos (gssapi) authentication. None of them appeared to do so and none of the authors that I contacted had plans to add this support. It is debatable whether such support would be seen as being of much benefit to end users – the real increase in usability from gssapi support in ssh is not having to provide a password with each ssh connection. Most iOS ssh clients provide a facility to remember a user’s password anyway, so the end-result is the same, even if the underlying process is different (and inherently less secure).

This entry was posted in Kerberos. Bookmark the permalink.