Single sign-on with W2K, IE 6.1 and JGSS

Paul Sangster paul.sangster at
Mon Sep 23 11:19:20 EDT 2002

Luke Howard wrote:

>>I have been trying to achieve single sign-on with IE 6.1 on Win2k systems.
>>Basically, trying to emulate IIS and IE kerberos auth exchange. In my case
>>the server happens to be Tomcat.
>>IIS and IE exchange GSSAPI token using SPNEGO mechanism. IIS sets HTTP
>>header "WWW-Authenticate:" to "Negotiate". IE responds with HTTP Header
>>"Authorization:" set to "Negotiate b64[gssapi-token]".
> Does JGSS support SPNEGO? If not, and there is a Java ASN.1 parser, it
> shouldn't be too hard to add.

No I don't believe JGSS support SPNEGO (nor does Solaris's GSS).

>>Any ideas why this is happening? Also, is jgss implementation on Solaris
>>based on Sun GSSAPI C implementation? Is SSPI different from GSSAPI?
> I don't know whether JGSS is based on the GSS-API C implementation. The
> latter is in turn based on the MIT code with fixed mech glue. SSPI has
> a different set of API bindings to GSS-API, however it emits compatible
> tokens and thus is wire-equivalent.

JGSS is a pure Java implementation so its not layered upon the existing C

> -- Luke
> --
> Luke Howard | PADL Software Pty Ltd |
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list