Our Features
Kerberos Authentication
Single-Sign-On into the intranet site using Kerberos protocol which provides you with a secure authentication mechanism for all the major operating systems like Windows, Ubuntu, CentOS, RHEL, etc.
Passwordless Login
Kerberos enables passwordless authentication for automatic login within the domain network. Kerberos protocol streamlines the login process by eliminating the need for passwords and enhancing security within the network environment.
Protect Sites from External Network
Protect your website or application by restricting access to its pages from external networks. Ensure that only authorized users within the network can reach the content, enhancing security and guarding against unauthorized entry from external sources.
What is the Difference between Kerberos and NTLM?
Kerberos
Kerberos is a ticket-based authentication protocol that uses shared key cryptography for authentication and involves a third-party Key Distribution Center (KDC). It uses a series of tickets, including Ticket Granting Tickets (TGTs) and service tickets, to verify the identity of users and services
In Kerberos, no actual passwords are sent instead, encrypted tickets and session keys are used for secure authentication.
NTLM
NTLM works on a challenge/response mechanism that involves the server sending a random challenge to the client. The client responds with a hashed value of the challenge, incorporating the user's password. This hashed response is sent back to the server, which validates it.
In NTLM, hashed password responses are transmitted between the client and server during the challenge-response mechanism.
While both protocols aim to ensure secure access, the Kerberos protocol is generally considered more secure, providing stronger encryption and improved resistance against various attacks.
Why Use Kerberos Authentication Protocol?
Secure Authentication
Kerberos uses strong cryptography to authenticate users, ensuring secure access to systems and resources.
Mutual Authentication
Kerberos protocol verifies the identity of both the client and the server, ensuring the communication is secured and preventing impersonation attacks.
Cross Platform Compatibility
Kerberos is a widely adopted SSO protocol, supported by various operating systems and applications.
Use Cases & Solutions
Customer Reviews
The best support I have ever met
Some time ago I bought the Active Directory Integration / LDA plugin and also used other plugins for the integration of my user registry system. There was some incompatibility and my user registration system was not completely compatible. A member of the team helped me resolve each and every one of the incompatibilities. He worked for me customizing the plugin until it was fully supported. He has never worked with such an efficient and dedicated support team. I work with a lot of paid plugins and no support team did that well. I recommend this plugin 100%
- agonzalez12LDAP for Cloud Works Great!
MiniOrange did a great job with this plug-in. Gave us exactly what we were looking for with LDAPS authentication. Support was superb in assisting us getting this implemented. Well pleased!
- brianlaird
surprising, a very good support
I think it was quite easy to implement the LDAP, and it has also a lot of options to retrive information from the LDAP like email, name, phone.. so it's easier to get all this information in your tables. The people from support is also very nice, miniorange helped me with my configuration that was quite different. I'll recommend this plugin.
- estoespersonal
Support and configuration of LDAP Plugin
After multiple tries to solve some Plugin Issues on my own, the great Support came to help me once again. I can really suggest and recomend this Plugin for all your needs. The Support will be there every step of the way if needed.
- markotomic93
Professional level plugin , and excellent support
I'm quite impress by the very good level of support not so often these days. The plugin is at professional level and provide all the announced functionality, and more!
- fabienandreo
Perfect plugin for LDAPS connection on shared hosting WordPress
For a long time, I have been looking for plugins for my shared hosted WordPress sites and tried n numbers of plugins, but none of them met my requirements as this plugin from Miniorange, the plugin's graphics are fantastic and very easy to use. I had an attribute mapping and LDAPS requirement and with this plugin, it works great. And the support is impeccable. I submitted a request for a demo and received a response within hours. I would definitely recommend it.
- mateoowen92
High quality LDAP solution with top notch support
I used miniOrange LDAP plugin to facilitate single sign on between active directory and our wordpress site hosted on flywheel shared hosting. They are having an awesome solution to achieve the SSO on domain joined systems. The guys at miniOrange were very responsive and helpful, I must praise the support team in miniorange for their timely response in solving my problems.
- bennettfoddy
Contact Us
We are happy to help, feel free to contact us
Hi, how can we help?
Have questions or need any support with Kerberos setup? We've got you covered.
Top Questions about our Kerberos/NTLM SSO
Why am I getting a prompt to enter my credentials?
This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:
- Check if you are using a domain joined machine to access the website.
- Make sure the time is synchronized between the LDAP server and webserver.
- Confirm if your browser settings and Internet options are configured for Kerberos SSO.
- If you are still facing this issue, feel free to contact us.
Can I use an existing LDAP user as a Kerberos Service principal?
Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.
What is a "Kerberos client", "Kerberos server", and "application server"?
All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.
How are realms named? Do they really have to be uppercase?
In theory, the realm name is arbitrary. You can name your realms whatever you want.
In practice a Kerberos realm is named by uppercasing the DNS domain name associated with the hosts in the to-be named realm. For example if your hosts are all in the "example.com" domain, you might call your Kerberos realm as "EXAMPLE.COM".
If you wish to have two Kerberos realms in the DNS domain "miniorange.com" for Human Resource and Sales, you might create the Kerberos realms as "HR.MINIORANGE.COM" and "SALES.MINIORANGE.COM"
The convention to use uppercase for realms names is to easily distinguish between DNS domain names (which are actually case-insensitive) and kerberos realms.
The recent revisions to the Kerberos standard have specified that uppercase realm names are preferred and lowercase realm names have been deprecated.
What programs/files need to go on each application server?
On each application server, you'll need to put:
- A Kerberos configuration file (/etc/krb5.conf).
- The Kerberos application server daemons (telnetd, rlogind, ftpd, etc).
- At least one encryption key (usually stored in /etc/krb5.keytab).
The portion that is most important is the encryption key; it must be sent to the application server host in a safe manner. Usually, the host principal (host/example.com@REALM) uses this key. It should be noted that the MIT admin client kadmin encrypts every transfer between it and the admin server, making it safe to use ktadd from within kadmin as long as you're not transmitting your admin password over the network in clear text.
If you intend to have interactive user logins on your application servers, you'll probably also want to install the Kerberos client binaries on each one.
What is GSSAPI?
GSSAPI is an acronym; it stands for Generic Security Services Application Programming Interface.
Client-server authentication is handled using the GSSAPI, a general-purpose API. The reasoning for it is because each security system has its own API, and because security APIs differ so much, it takes a lot of work to add various security systems to apps. The generic API could be written to by application providers, and it would be compatible with a wide range of security systems if there were a common API.
What is cross-realm authentication?
Any Kerberos principal can establish an authentication connection with another principal inside the same Kerberos realm. However, a Kerberos realm can also be set up to allow principals from different realms to authenticate with one another. This is called cross-realm authentication.
This is accomplished by having the KDCs in the two realms share a unique cross-realm secret, which is used to validate the identification of principals when they cross the realm border.
How do I change the master key?
In Kerberos 5 you can not change the master key.
You have the option to modify the master key using the kadmin. The master key, however, is used to encrypt every database entry and is most likely also kept in a stash file (depending on your site). The stash file or all of the database records won't be updated if the master key is changed using kadmin.
To change the master key, Kerberos 4 offered a command, and it carried out the necessary actions. For Kerberos 5, no one has (yet) implemented this capability.
Need Help? We are right here!
