MAD uses it rather extensively. That's one of the reasons you see a confusing mashup of case in docs relating to AD. DNS: example.co.uk, Kerberos Realm: EXAMPLE.CO.UK To add confusion there is the NETBIOS shortname for a "Domain" (which is really a realm) which in this case could be EXAMPLE or EX or whatever.
As a Linux sysadmin/user in an MS world, I have pretty much managed to Kerberize everything I can get my hands on via Samba (winbindd). I also use Evolution with the EWS plugin to get to Exchange and use Kerberos to auth to that. All my sshd's support GSSAPI auth and so does PuTTY for my Windows loving colleagues. Firefox and Chrome(ium) support GSSAPI.
Whether I like it or not, MAD is here to stay and so I have to embrace it .... 8)
I have fully documented build docs for several Linux distros for our corp needs. I now have feature parity with Windows for our use cases. A bit more testing and tweaking needed to cover edge and corner cases, then I will get a volunteer to try it out, etc etc. One step at a time.
Anyway, to answer your question: everywhere that has AD installed or FreeIPA and the like and of course places that use Kerberos itself eg MIT!
Microsoft Active Directory (ADS) uses Kerberos for single sign on. As soon as you login to an domain you get a Kerberos ticket. So it's actually quite wide spread.
Yes, I have setup Java and Apache servers to do authentication with Kerberos. The support is quite mature now. The only hassles tend to be with the Windows servers and PCs deprecating weaker algorithms which require tweaking krb5.conf and occasionally digging into AD attributes.
It's used in research computing environments. My university used to to authenticate to the general access clusters, and a you'll find references to its use in government labs if you dig in their support pages. Additionally, if AFS [0] is being used, it's a safe bet that Kerberos is also present.
When AFS was created the Kerberos spec wasn't final yet. So they use something similar called a PAG (instead of a ticket). You need a special tool to convert your Kerberos ticket to an AFS PAG. Real support for Kerberos V is something that's on the wishlist for quite some time.
All of our linux/freebsd boxes on our network at work must be hooked up to kerberos. most of the day I don't have to type my password for anything HTTP/SSH unless it's for sudo.
How do you integrate kerberos sso and http? Is there web browser support? The last time I looked at this, I could get sso to work with apache on the server side and windows (internet explorer) clients - but for anything else I don't think I got ticket forwarding etc to work? (Granted this is a long while back).
I'd love to hear a few keywords about your stack (heimdal/mit, web server(s), directory server(s) etc)?
Have a look at the Arch and Gentoo wikis both have a lot of notes.
I wrote this: https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperabili... It is a little out of date (I keep the latest set of notes on our corp wiki) but will get you most of the way there. The notes on the Arch wiki also have some quite up to date notes on using pam_mount and getting mount.cifs working with Kerberos (ie I've read the docs and experimented, so you don't have to)
winbindd in Samba 4.x is really rather good and will happily manage the Kerberos side of things for you for a minimal setup cost. If you find yourself following a howto that starts whittering on about using setspn.exe on a DC then run away! I recently noticed that SSSD is available on rather a lot of Linux distros and is well respected. Must have a look.
As I mentioned in another thread there is a lot of support for SSO with Kerberos/GSSAPI in nearly everything you can get your paws on. Even Nagstamon can do it! Chrome on Windows - Group Policy, Chrome or Chromium on Linux - policies in a JSON file in a certain location, Firefox - about:config - you can send out FF settings with a file (can't remember the name), IE - Group Policy. PuTTY for ssh. OpenSSH client and server. Squid. Apache, nginx, IIS all do it.
I login to this laptop using my AD username and password. If the wifi is a bit slow and winbindd can't get to the domain then it uses a cached (cryptographically hashed) version of my password to allow me in or not. When it finds the DC (VPN or LAN) then it is able to fix up my Kerberos ticket cache on my behalf.
I know for a fact (by direct experience) that this all works on Gentoo, Arch and Ubuntu (Xenial and Trusty). Any Unix-alike distro that can run mitkrb or heimdal and Samba 4 should be able to do all of this.
No, just as a AD member server. Without winbindd, samba has to fall back to the libc pam/nss functionality which is not as full-featured as the one provided by winbindd. So there's some performance benefits which might or might not matter for you, but there's also some cases that don't work at all without winbindd; at least we were unable to allow non-domain clients (e.g. personal laptops) access to a smb share without winbindd.
If you dig into this topic you can find mails from samba core devs on samba-technical saying that you REALLY should run winbind for a samba AD member server.
We use Keycloak (hooked up to FreeIPA) which will try to authenticate against Kerberos and then fall back to a regular login screen or a cookie for more limited SSO. The actual web apps are configured with OpenID Connect or SAML and don't know anything about Kerberos.
FreeBSD, OpenSSH, Apache mod_kerb2 (and mod_auth_ldap for authorization), Active Directory.
1. install server
2. msktutil tool joins machine to domain (simple tool; no dependencies) and now you have /etc/krb5.keytab file
3. minor configuration for base OS -- LDAP using keytab instead of bind user with static password, etc
4. webservers just need an HTTP principal keytab created (simple msktutil command, then extract it from the /etc/krb5.keytab file into a file apache can read/write)
5. I can ssh to every server without a password after running "kinit" on my macbook
6. it just works and it's reliable, time tested, and secure.
Interesting! Why did your company choose Kerberos over, say, SSL/SMIME certificates?
(Honest question, because I had the impression that typically, companies base their PKI on SMIME certificates, because it is easier to setup than an OpenPGP based PKI, and because these certs are supported by most email clients out of the box, in addition to HTTPS and SSH.)
I'm only chiming in here because we do the same. We have an AD! Bizarrely it is actually rather easy to use despite the nightmare of rubbish docs on t'internets. We use winbindd (SSSD is another well respected option - must try it) and the algorithmic idmap backend which guarantees the same uid/gid on all Linux boxes. winbindd also sorts out Kerberos keytabs for the machine itself ("join the domain") and logged in used via winbind's NSS and PAM add ons. Finally, winbind can cache logins for offline logins which is nice for say this laptop that I am using right now.
All browsers that I use (IE, Chrom{e|ium}, Firefox) support GSSAPI. Apache, IIS, nginx support GSSAPI. OpenSSH and PuTTY support GSSAPI. There is a lot of support for it out there. Oh and of course Squid for all your proxy needs and HAProxy works as expected (I use it to front Exchange to get PCI DSS compliance even for Exchange 2010 - but that is more a TLS thing). Evolution EWS works through that lot using Kerberos for auth for the full Exchange client experience, including calendaring, without needing Outlook.
Kerb is for auth whereas SSL is for encryption. I think you may be confusing use cases a bit. To be fair all that stuff can be a bit confusing and there is a lot of overlap. SSL can be used for identity proof (often proof by assertion) and so can Kerberos (proof by faith in the rest of your realm)
SSSD has been really, REALLY good to my group... except during initial setup. The logging failed me several times in trying to track down problems. The biggest one was when one of the our sysadmins had mistyped "default". Everything appeared to be connecting, getting data from LDAP... and then SSSD would crash with an empty log file.
It worked fine on all of our other machines with the incorrect spelling. The versions of Debian and SSSD were the same. I assume some library was different, but I never found it. I eventually noticed the typo, fixed it, and everything started working.
That was a couple of years ago. After those initial debugging hurdles, it has "just worked" through upgrades and major software changes.
I'm probably jinxing it by praising it. I'm now expecting SSH to stop working on every machine.
Trust me, setting up sssd with debug logging etc. is like the second coming of Jebus compared to ye olde school way of doing it with pam_krb5 + nss_ldap..
Can't say either way, but after spending a few minutes Googling S/MIME support, it seems completely incompatible with most web browsers and web email services. The only exception appears to be Office 365 with Internet Explorer on Windows? While end-to-end encryption of emails is nice, I'm not sure the benefits outweigh the drawbacks, unless required by regulation. It'd be nice if more webmail providers and browser makers supported S/MIME, especially considering new privacy rules in the EU...
I remember there was a general disinterest even back when Kerberos was still a thing ...