GSSAPI x Kerberos
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Tue Jul 15 03:14:12 EDT 2003
Kent,
Microsoft have implemented Kerberos into IE and IIS, so 'yes' IE does have Kerberos support included. I am not aware of any support for the protocol in Netscape.
Our WebAccess product which I referred to earlier does not require the browser to support Kerberos - this is because we have a workstation installed proxy that configures the browser proxy settings to point to itself - the browser to web server session therefore follows the path: browser<->local proxy<->network<->web server. With this approach we can add value to the authentication and integrity services between browsers (and SOAP enabled applications) on workstations and web servers or proxy servers in the network. The workstation local proxy establishes a security context with the web server which causes a service ticket to be obtained and presented to the web server - we pass the information needed to accept the context in the HTTP header. We are also able to support web server clusters, proxy servers and many configurations with this architecture.
I think it would be more appropriate to continue discussions about our products offline rather than involving everybody on this distribution list.
Thanks, Tim.
-----Original Message-----
From: Kent_Wu at trendmicro.com [mailto:Kent_Wu at trendmicro.com]
Sent: 15 July 2003 01:51
To: Tim.Alsop at CyberSafe.Ltd.UK
Cc: kerberos at mit.edu
Subject: RE: GSSAPI x Kerberos
Hi Tim,
Yes, I'm interested. My question is does I.E or netscape support kerberos authentication? My impression was not however my data might be outdated. Then even if the browser supports, it means the browser needs to get TGT and service ticket for proxy/web server, and the proxy/web server also needs to be registered in that KDC as well. Is everything all hooked up by now?
Thx.
Kent
-----Original Message-----
From: Tim Alsop [mailto:Tim.Alsop at CyberSafe.Ltd.UK]
Sent: Friday, July 11, 2003 11:39 PM
To: Kent Wu (RD-US); silvio at gdora.com.br; hartmans at mit.edu
Cc: kerberos at mit.edu
Subject: RE: GSSAPI x Kerberos
Kent,
The SPNEGO protocol is used by Microsoft in IIS and IE to negotiate between NTLM and Kerberos and accept a context using both protocols. The reason why Microsoft used this is so that IIS can work with NT workstations where no Microsoft Kerberos library is present and/or older versions of IE where no Kerberos support is provided.
I hope this helps ?
Regarding your question about proxy support - if you are interested we have a product that provides Kerberos (not NTLM) authentication between browser (e.g. IE) and web servers (e.g. Apache) and is designed to support the use of proxy servers as well as web servers.
Take care, Tim.
-----Original Message-----
From: Kent_Wu at trendmicro.com [mailto:Kent_Wu at trendmicro.com]
Sent: 11 July 2003 23:21
To: silvio at gdora.com.br; hartmans at mit.edu
Cc: kerberos at mit.edu
Subject: RE: GSSAPI x Kerberos
Is that true when IIS issues "WWW-Authenticate: Negotiate" it actually means NTLM? Supposedly after win 2000 Kerberos replaced NTLM to became the default authentication mechanism in win but I'm not sure how they integrate kerberos into HTTP traffic. And if kerberos authentication is doable, how a 3rd party http proxy to support this in terms of proxy authorization (407 return code)?
Kent
-----Original Message-----
From: silvio at gdora.com.br [mailto:silvio at gdora.com.br]
Sent: Wednesday, July 09, 2003 5:34 AM
To: Sam Hartman
Cc: Kerberos Mailing
Subject: Re: GSSAPI x Kerberos
Sam Hartman wrote:
> Implement using GSSAPI unless there is something that you need that
> cannot be provided by GSSAPI.
Thanks :-) I was going to do that but I asked here to be sure...
The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
Authenticate: Negotiate", but the patch to Mozilla looks a little different, it uses "GSS-Negotiate"... Since I'm going to do both server and client modification to support Kerberos in this application I could use anything, what you think that would be better the MS draft or the one the works on Mozilla/Apache?
There's any other kind of GSS authentication over HTTP?
Thanks in advance,
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42 Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list