SSPI Kerberos Window NT 4.0

Douglas E. Engert deengert at anl.gov
Wed Jul 30 08:35:29 EDT 2003



"Burruss, Dante M" wrote:
> 
> I have a question, If SSPI using Kerberos protocol service installed on a
> remote server (Window NT), in order for tickets from the client desktop to
> be interpret by the KDC and authentification to take place the on the server
> the client (desktop) must also have kerberos (client software) installed on
> there computer?  If this is true, what happens if you install SSPI on remote
> server and a client try's to access the server and client don't have
> kerberos  installed on there system?
> 
> I have a website where I need to authenticate using ASP and I need to get
> the client public token for authentification. I need to fully understand how
> to use Kerberos and install software.

The SSPI was introduced in NT 3 or 4, but did not use Kerberos. Kerberos was
introduced in W2K. Kerberos is used for authentication within the Windows
Domain. So your Active directory login is actually obtaining Kerberos tickets.

IE and IIS when used within the domain can use SSPI to authenticate the 
web connection. So for your browser to access the web site, the client 
and the web server must be in the same domain or the domains must have a trust
relationship. 

The SSPI when using Kerberos can interoperate with a UNIX machine which
is using the Kerberos GSSAPI. This has some great promise for being able to
extend the usefulness of the web authentication used between IE and IIS to other 
browsers and servers on non Windows machines. There may be some working being
done on this.  

(Its early in the morning, so this might not be exactly correct, and others
might have a better explanation.)  
   
  


> 
> Your response will greatly be appreciated.
> 
> Thanks
> 
> Dante M Burruss
> Department of State
> 703-875-4077
>  Unclassified
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list