GSSAPI x Kerberos
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Tue Jul 29 08:46:11 EDT 2003
Vadim,
I suggest we discuss this offline since there is no need to copy verybody at kerberos at mit.edu
Anyway, we are already aware of the support in IE and IIS/ISA and its restrictions. Our product architecture supports proxy servers as well as non-proxy servers because we designed it to do so. We can also support ISA if needed.
Cheers, Tim.
-----Original Message-----
From: vadim at xpert.com [mailto:vadim at xpert.com]
Sent: 29 July 2003 13:36
To: kerberos at mit.edu
Subject: Re: GSSAPI x Kerberos
Hi guys,
Tim, how are you? ;-)
A couple of related notes: MSIE 5+ installed on Windows 2000+ domain member supports Kerberos protocol for INTEGRATED authentication. In addition, it supports NTLM, but Kerberos is a preferable method if noth the server and the client support it (the choice of the strongest available protocol is required by RFC 2617). In most cases, in order to work properly, "Enable Integrated Windows Authentication" option should be turned on (check MS KB299838 for instructions). Such authentication works fine between MSIE and different Microsoft application services, supporting integrated authentication(e.g. IIS).
However pay attention - MSIE supports Kerberos authentication with remote application servers ONLY, while it doesn't work with proxy (by design, refer to MS KB321728. This is a huge disadvantage since many organizations have MS ISA proxy servers, and have to disable integrated authentication because Kerberos is not supported, and NTLM is not secured enough (in addition to the protocol itself, NTLM-based integrated authentication requires a lot of unsecured connections between ISA and Domain Controller, such as cleartext LDAP, RPC etc).
Tim, a question to you - is it possible to use client-side WebAccess MSIE plugin in order to allow Kerberos-based authentication with ISA server?
Hope it helps,
Vadim
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list