Hi Tim,
Yes, I'm interested. My question is does I.E or netscape support kerberos
authentication? My impression was not however my data might be outdated. Then even if
the browser supports, it means the browser needs to get TGT and service ticket for
proxy/web server, and the proxy/web server also needs to be registered in that KDC as
well. Is everything all hooked up by now?
Thx.
Kent
-----Original Message-----
From: Tim Alsop [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2003 11:39 PM
To: Kent Wu (RD-US); [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: GSSAPI x Kerberos
Kent,
The SPNEGO protocol is used by Microsoft in IIS and IE to negotiate between NTLM and
Kerberos and accept a context using both protocols. The reason why Microsoft used this
is so that IIS can work with NT workstations where no Microsoft Kerberos library is
present and/or older versions of IE where no Kerberos support is provided.
I hope this helps ?
Regarding your question about proxy support - if you are interested we have a product
that provides Kerberos (not NTLM) authentication between browser (e.g. IE) and web
servers (e.g. Apache) and is designed to support the use of proxy servers as well as
web servers.
Take care, Tim.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 11 July 2003 23:21
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: GSSAPI x Kerberos
Is that true when IIS issues "WWW-Authenticate: Negotiate" it actually means NTLM?
Supposedly after win 2000 Kerberos replaced NTLM to became the default authentication
mechanism in win but I'm not sure how they integrate kerberos into HTTP traffic. And
if kerberos authentication is doable, how a 3rd party http proxy to support this in
terms of proxy authorization (407 return code)?
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 09, 2003 5:34 AM
To: Sam Hartman
Cc: Kerberos Mailing
Subject: Re: GSSAPI x Kerberos
Sam Hartman wrote:
> Implement using GSSAPI unless there is something that you need that
> cannot be provided by GSSAPI.
Thanks :-) I was going to do that but I asked here to be sure...
The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft
implemented the GSS over HTTP to IIS and IE, in the docs it says to use "WWW-
Authenticate: Negotiate", but the patch to Mozilla looks a little different, it uses
"GSS-Negotiate"... Since I'm going to do both server and client modification to
support Kerberos in this application I could use anything, what you think that would
be better the MS draft or the one the works on Mozilla/Apache?
There's any other kind of GSS authentication over HTTP?
Thanks in advance,
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42 Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
