Browser authentication
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Feb 24 08:01:15 EST 2004
On Tue, 2004-02-24 at 04:00, Lukas Kubin wrote:
> Thank you for answer.
> The reason why I found this thread was to find which (additional)
> products I need to to create a web page accessible through webserver
> (Apache) when a user (client on Windows or Linux) has a valid MIT K5
> ticket in their cache.
>
> - is there any existing browser (for both Windows and Linux) suitable fo
> r this?
Internet Explorer has support today or Mozilla with the additional
"negotiateauth" extension (planned to be in the upcoming 1.7 release).
> - how does it work? does the webserver receive user's TGT or what?
The browser and web server exchange GSSAPI tokens encoded in the
HTTP header. The GSSAPI tokens are created from the HTTP service
ticket that the browser gets from the KDC using the TGT.
TGTs are never used directly for authentication, they are only
used to get the service tickets.
-Wyllys
More information about the Kerberos
mailing list