Need some tips on kerberizing our ENTIRE network

[Wyllys Ingersoll]

Fred Dushin wrote:
>  A big part of the problem is HTTP (big surprise -- yet another
>  protocol that is being used for purposes for which it was not
>  designed). Yes, IIS supports GSS authentication via SPNEGO, but I
>  have not been able to decipher whether data protection is offered;
>  anecdotal evidence suggests not; I've read commentary on the web to
>  this effect, and if you read the mod_auth_krb source code, you'll see
>  no reference to gss_wrap or gss_*_mic, so my guess is that all SPNEGO
>  is doing is offering SSO authentication. (That seems to be the gist
>  of the spec, as well) I'm not entirely sure if mutual auth is
>  offered, either, though I suppose technically it's possible to use
>  HTTP 401 to establish a mutually authenticated channel. (Anyone know
>  if IE/IIS supports this?)


Data protection is not part of the HTTP/Negotiate-Auth protocol.  It only
provides for *authentication* and even that is not protected unless you
channel it over SSL.   After the authentication is complete, GSSAPI is
never used again for that session.  The browsers and servers out there
today do not support the use of GSSAPI for protecting the HTTP exchanges,
only SSL.

Mutual authentication is not supported correctly because it is not possible
to do so without violating the HTTP spec.  Microsoft did it with IIS/IE, but
Mozilla stops short of the complete mutual-auth checking because it would
involve alot of hacks in the HTTP engine to handle non-standard fields
being sent in a "200 OK" response header. 

Basically, the recommended way to do HTTP/GSSAPI authentication
is to use SSL to protect the exchange and the data.   Mozilla/Firefox
is configured by default to only do the GSSAPI auth exchange if
the protocol is  "https", though that setting can be changed easily
enough.


-Wyllys Ingersoll