GSSAPI x Kerberos

Daniel Kouril kouril at ics.muni.cz
Mon Jul 21 04:54:56 EDT 2003


silvio at gdora.com.br wrote:
> Sam Hartman wrote:
> 
>>Implement using GSSAPI unless there is something that you need that
>>cannot be provided by GSSAPI.
> 
> 
> Thanks :-) I was going to do that but I asked here to be sure...
> 
> The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft 
> implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
> Authenticate: Negotiate", but the patch to Mozilla looks a little different, it 
> uses "GSS-Negotiate"... Since I'm going to do both server and client 
> modification to support Kerberos in this application I could use anything, what 
> you think that would be better the MS draft or the one the works on 
> Mozilla/Apache?

Sorry for the delay (the summer time :-). I think you're refering to the 
    mozilla patch available from negotiateauth.mozdev.org, which I'm 
maintaining. The reason for the use of GSS-Negotiate instead of 
Negotiate is that I don't have any SPNEGO implementation I could use, so 
   I suppose the patch will be linked with the GSSAPI libs provided by a 
krb5 implementation. That's why I used the GSS- prefix in order to avoid 
problems with MS products, which use SPNEGO protocol here.

I'm working on a SPNEGO implementation (I believe most of it could be 
based on the mechglue mechanism) but I don't have much time I could 
spend on it. Moreover, if I recall some discussion on the IETF krb 
mailinglist, the Microsoft implementation of SPNEGO doesn't comply with 
the SPNEGO standard.

--
Dan



More information about the Kerberos mailing list