About Kerberos

By default, Project Portal uses the NT LAN Manager (NTLM) authentication that is built into Windows. Kerberos is an optional network authentication that is stronger than NTLM and that Project Portal can be configured with.

When Project Portal is configured with Kerberos add-on,the Kerberos realm is the Active Directory domain. Microsoft Active Directory is the Kerberos Key Distribution Center. It also provides the Authentication Service and Ticket Granting Service. Project Portal is the Service Server or the Application Server depending on the terminology used.

Project Portal authentication through Kerberos is performed as follows:

1. The user logs on to Windows.
2. Microsoft Active Directory authenticates the user and issues a Ticket Granting Ticket for them.
3. When the user connects to Project Portal for the first time, an AJAX script requests a Project Portal authentication token from the Project Portal single sign-on script.
4. To access the single sign-on script, apache and the Project Portal Kerberos add-on demand valid Kerberos negotiations.
5. The user's browser sends a request on their behalf to the Ticket Granting Service to get a Service Ticket for Project Portal. That request contains the user's Ticket Granting Ticket and the Project Portal Service-Principal ID.
6. The Ticket Granting Service replies with a Service Ticket.
7. The user is authenticated by the Project Portal Kerberos add-on.
8. The Project Portal single sign-on script gives the user a valid Project Portal authentication ticket.
9. The authentication ticket grants the user access to Project Portal.

Note    When describing Kerberos, realms are always written in all capital letters and that is the standard used throughout this document.

Configuring Project Portal with the Kerberos add-on is described in the following topics.