kerberos for Microsoft IIS/any http server?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Nov 25 16:56:40 EST 2003


Check out http://negotiateauth.mozdev.org
This guy has an extension for mozilla for supporting
Microsoft's Negotiate mechanism.  However, his version
currently only supports Heimdal's Kerberos/GSSAPI.
This site also has links to Apache plugins which support
the IIS negotiate method.

Also take a look at
http://bugzilla.mozilla.org/show_bug.cgi?id=17578

I posted a more generalized patch for Mozilla which *should*
be able to compile with Heimdal, MIT, or Solaris Kerberos
implementations.  It likely will not appear in Mozilla
until release 1.7, though.  In the meantime, extensions for
Mozilla 1.5 (and 1.6) should start appearing sometime
in the near future.

You don't mention what browser you are using or 
what OS platform you are using.

-Wyllys




On Mon, 2003-11-24 at 15:10, Sanjay wrote:
> Hi,
> 
> Is there a simple howto on getting a Win2K client, logged on to Active
> Directory (AD) domain, get a file from IIS server (running on AD server)
> with Kerberos authentication ..?
> 
> -- IIS server is running on the Active Directory server (win2k domain
> server).
> Win2k Server, SP2
> IIS 5.0
> -- Win2K client is having SP2 & IE 5.5 SP2.
> 
> With network tracing, I see IIS sends back WWW-Authenticate headers of
> Negotiate first, and then NTLM, but for some reason, Win2k client picks up
> the NTLM related handshake, not Negotiate.
> 
> During Windows logon on this client, I made sure that I use a sample user
> login from the above AD domain, and also made sure that Kerberos was
> exchanged between the client and AD KDC server.
> 
> Now, how do I get the Kerberos handshake going over HTTP against IIS that is
> running on the same AD server ?
> 
> Anyone got this going against any other HTTP server (Apache?)
> 
> tia,
> Sanjay
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Wyllys Ingersoll <wyllys.ingersoll at sun.com>



More information about the Kerberos mailing list