Frank Balluffi wrote:
My investigation shows that Firefox on Windows (which uses Microsoft SSPI) sends RFC 2478 SPNEGO tokens with the mutual-required flag on and Firefox on Linux/UNIX (which uses GSSAPI) sends RFC 1964 Kerberos tokens with the mutual-required flag off.
Can anyone think of a reason why Firefox on Linux/UNIX should not set the mutual-required flag on? Thanks.
Because the HTTP protocol does not support the use of mutual authentication.
Microsoft "broke" the HTTP standard in order to support mutual auth by adding
extra data to the "200 OK" response that the IIS server returns after it authenticates
the client's Kerberos creds (SSPI). The Mozilla developers did not want to pollute
the core HTTP protocol engine with special case code to handle the extra data that
might be associated with a mutual-auth GSSAPI response, so they chose to ignore it.
Because mutual auth is not possible at this time, it is strongly recommended that
any Linux/Apache installation that implements GSSAPI authentication (e.g. mod_auth_kerb)
also use SSL to encrypt the authentication exchange. The default settings in
Firefox/Mozilla are to only respond to the "Negotiate" request when the URL is
"https", though this can be overridden by the user.
-Wyllys
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
