GSSAPI x Kerberos

Kent_Wu@trendmicro.com Kent_Wu at trendmicro.com
Mon Jul 14 20:50:33 EDT 2003


Hi Tim,

	Yes, I'm interested. My question is does I.E or netscape support kerberos authentication? My impression was not however my data might be outdated. Then even if the browser supports, it means the browser needs to get TGT and service ticket for proxy/web server, and the proxy/web server also needs to be registered in that KDC as well. Is everything all hooked up by now? 

Thx.

Kent

-----Original Message-----
From: Tim Alsop [mailto:Tim.Alsop at CyberSafe.Ltd.UK]
Sent: Friday, July 11, 2003 11:39 PM
To: Kent Wu (RD-US); silvio at gdora.com.br; hartmans at mit.edu
Cc: kerberos at mit.edu
Subject: RE: GSSAPI x Kerberos


Kent,

The SPNEGO protocol is used by Microsoft in IIS and IE to negotiate between NTLM and Kerberos and accept a context using both protocols. The reason why Microsoft used this is so that IIS can work with NT workstations where no Microsoft Kerberos library is present and/or older versions of IE where no Kerberos support is provided.

I hope this helps ?

Regarding your question about proxy support - if you are interested we have a product that provides Kerberos (not NTLM) authentication between browser (e.g. IE) and web servers (e.g. Apache) and is designed to support the use of proxy servers as well as web servers.

Take care, Tim. 

-----Original Message-----
From: Kent_Wu at trendmicro.com [mailto:Kent_Wu at trendmicro.com] 
Sent: 11 July 2003 23:21
To: silvio at gdora.com.br; hartmans at mit.edu
Cc: kerberos at mit.edu
Subject: RE: GSSAPI x Kerberos

Is that true when IIS issues "WWW-Authenticate: Negotiate" it actually means NTLM? Supposedly after win 2000 Kerberos replaced NTLM to became the default authentication mechanism in win but I'm not sure how they integrate kerberos into HTTP traffic. And if kerberos authentication is doable, how a 3rd party http proxy to support this in terms of proxy authorization (407 return code)?

Kent

-----Original Message-----
From: silvio at gdora.com.br [mailto:silvio at gdora.com.br]
Sent: Wednesday, July 09, 2003 5:34 AM
To: Sam Hartman
Cc: Kerberos Mailing
Subject: Re: GSSAPI x Kerberos


Sam Hartman wrote:
> Implement using GSSAPI unless there is something that you need that 
> cannot be provided by GSSAPI.

Thanks :-) I was going to do that but I asked here to be sure...

The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
Authenticate: Negotiate", but the patch to Mozilla looks a little different, it uses "GSS-Negotiate"... Since I'm going to do both server and client modification to support Kerberos in this application I could use anything, what you think that would be better the MS draft or the one the works on Mozilla/Apache?

There's any other kind of GSS authentication over HTTP?

Thanks in advance,
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42 Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list