GSSAPI x Kerberos
Vadim Barshtak
vadim at xpert.com
Tue Jul 29 08:36:22 EDT 2003
Hi guys,
Tim, how are you? ;-)
A couple of related notes: MSIE 5+ installed on Windows 2000+ domain
member supports Kerberos protocol for INTEGRATED authentication. In
addition, it supports NTLM, but Kerberos is a preferable method if
noth the server and the client support it (the choice of the strongest
available protocol is required by RFC 2617). In most cases, in order
to work properly, "Enable Integrated Windows Authentication" option
should be turned on (check MS KB299838 for instructions). Such
authentication works fine between MSIE and different Microsoft
application services, supporting integrated authentication(e.g. IIS).
However pay attention - MSIE supports Kerberos authentication with
remote application servers ONLY, while it doesn't work with proxy (by
design, refer to MS KB321728. This is a huge disadvantage since many
organizations have MS ISA proxy servers, and have to disable
integrated authentication because Kerberos is not supported, and NTLM
is not secured enough (in addition to the protocol itself, NTLM-based
integrated authentication requires a lot of unsecured connections
between ISA and Domain Controller, such as cleartext LDAP, RPC etc).
Tim, a question to you - is it possible to use client-side WebAccess
MSIE plugin in order to allow Kerberos-based authentication with ISA
server?
Hope it helps,
Vadim
More information about the Kerberos
mailing list