At one of my projects, I was trying to set Kerberos authentication (SASL_SSL). It seems that it’s the hardest possible approach to set up. Moreover I was working on localhost in an enterprise network which did not simplify work.
So after few weeks of fighting I ended up with knowledge that:
- Documentation is quite precise
- Kerberos/SASL_SSL manuals are not very precise and require deep knowledge on certificates
- To generate keys on Windows 10 you need WSL
- To get proper keys you need CA of your organization with private keys, so you won’t do it on your own
Assuming above, I ended up with conclusion that Kerberos/SASL_SSL is the safest approach however setup complexity is so hard that it is much easier and a bit less safer to use SSL with username/password. A side effect is ensuring secure storage of username and password (including password policy and account expiry).