GSSAPI x Kerberos
Daniel Kouril
kouril at ics.muni.cz
Mon Jul 21 04:54:56 EDT 2003
silvio at gdora.com.br wrote:
> Sam Hartman wrote:
>
>>Implement using GSSAPI unless there is something that you need that
>>cannot be provided by GSSAPI.
>
>
> Thanks :-) I was going to do that but I asked here to be sure...
>
> The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft
> implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
> Authenticate: Negotiate", but the patch to Mozilla looks a little different, it
> uses "GSS-Negotiate"... Since I'm going to do both server and client
> modification to support Kerberos in this application I could use anything, what
> you think that would be better the MS draft or the one the works on
> Mozilla/Apache?
Sorry for the delay (the summer time :-). I think you're refering to the
mozilla patch available from negotiateauth.mozdev.org, which I'm
maintaining. The reason for the use of GSS-Negotiate instead of
Negotiate is that I don't have any SPNEGO implementation I could use, so
I suppose the patch will be linked with the GSSAPI libs provided by a
krb5 implementation. That's why I used the GSS- prefix in order to avoid
problems with MS products, which use SPNEGO protocol here.
I'm working on a SPNEGO implementation (I believe most of it could be
based on the mechglue mechanism) but I don't have much time I could
spend on it. Moreover, if I recall some discussion on the IETF krb
mailinglist, the Microsoft implementation of SPNEGO doesn't comply with
the SPNEGO standard.
--
Dan
More information about the Kerberos
mailing list