Kerberos: The Definitive Guide now available

Wyllys Ingersoll wyllys.ingersoll at
Thu Aug 21 11:03:15 EDT 2003

Dick Joltes wrote:
> I e-mailed the author before the book was published to ask about its
> coverage of programming & development topics.  The book is solely
> devoted to management and configuration issues; programming and
> development are not discussed at all.
> I'm half tempted to start work myself on a book covering the API,
> but have no idea if anyone is doing so already or if one is even
> needed.

Im not sure how much of the Kerberos API is considered "stable" (i.e.
not subject to change from revision to revision).  Writing a book
about the API as it stands today in 1.3 might be out-of-date in a
year or whenever 1.4 comes out.

The API is not-standard, it is not specified by any RFC, thus its harder
to document it definitively.

> At 06:31 AM 19-08-03 -0700, you wrote:
>> Hello,
>> congratulations and thanks for you new book.
>> I've read O'Reilly information about it, but, and I'm not sure it
>> covers all I need (I'm a newbie in all kerberos/spnego/GSS-API stuff)
>> Does it explain how to use java 1.3/1.4 to implement SPNEGO on the Web
>> server side, and later extract and validate the TGT with a KDC, as
>> Active Directory?. For example, to be implemented by a servlet.
>> Or does it cover how to implement this http authentication protocol
>> directly in an apache module, to achieve SSO with IE6/WIN2k, without
>> asking user for kerberos passwords?

Microsoft documented much of what you are asking about recently.
I don't have a link handy, but you can search for it on MSDN website
or maybe someone reading this list will post it.

Most of what you are doing would be done via the GSSAPI interface
and should not involve writing to the KRB5 API at all.  SPNEGO is
a GSSAPI mechanism, but there currently are not any open source
SPNEGO implementations that I'm aware of.


More information about the Kerberos mailing list