Single sign-on with W2K, IE 6.1 and JGSS

Luke Howard lukeh at PADL.COM
Sat Sep 21 12:16:03 EDT 2002

>I have been trying to achieve single sign-on with IE 6.1 on Win2k systems.
>Basically, trying to emulate IIS and IE kerberos auth exchange. In my case
>the server happens to be Tomcat.
>IIS and IE exchange GSSAPI token using SPNEGO mechanism. IIS sets HTTP
>header "WWW-Authenticate:" to "Negotiate". IE responds with HTTP Header
>"Authorization:" set to "Negotiate b64[gssapi-token]".

Does JGSS support SPNEGO? If not, and there is a Java ASN.1 parser, it
shouldn't be too hard to add.

>Any ideas why this is happening? Also, is jgss implementation on Solaris
>based on Sun GSSAPI C implementation? Is SSPI different from GSSAPI?

I don't know whether JGSS is based on the GSS-API C implementation. The
latter is in turn based on the MIT code with fixed mech glue. SSPI has
a different set of API bindings to GSS-API, however it emits compatible
tokens and thus is wire-equivalent.

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list