GSSAPI x Kerberos

Kent_Wu@trendmicro.com Kent_Wu at trendmicro.com
Fri Jul 11 18:21:18 EDT 2003


Is that true when IIS issues "WWW-Authenticate: Negotiate" it actually means NTLM? Supposedly after win 2000 Kerberos replaced NTLM to became the default authentication mechanism in win but I'm not sure how they integrate kerberos into HTTP traffic. And if kerberos authentication is doable, how a 3rd party http proxy to support this in terms of proxy authorization (407 return code)?

Kent

-----Original Message-----
From: silvio at gdora.com.br [mailto:silvio at gdora.com.br]
Sent: Wednesday, July 09, 2003 5:34 AM
To: Sam Hartman
Cc: Kerberos Mailing
Subject: Re: GSSAPI x Kerberos


Sam Hartman wrote:
> Implement using GSSAPI unless there is something that you need that
> cannot be provided by GSSAPI.

Thanks :-) I was going to do that but I asked here to be sure...

The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft 
implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
Authenticate: Negotiate", but the patch to Mozilla looks a little different, it 
uses "GSS-Negotiate"... Since I'm going to do both server and client 
modification to support Kerberos in this application I could use anything, what 
you think that would be better the MS draft or the one the works on 
Mozilla/Apache?

There's any other kind of GSS authentication over HTTP?

Thanks in advance,
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42
Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list