[jcifs] Kerberos HTTP authentication

Eric Glass eric.glass at gmail.com
Tue Oct 3 16:24:26 GMT 2006

I don't think IE supports a "raw" Kerberos auth mechanism.  There were
some various initiatives at kerberizing http prior to Microsoft's
Negotiate/SPNEGO-based approach; this may have been on of those.

One thing that's mildly interesting to note is that MS's "Negotiate"
SSPI provider is non-conformant to SPNEGO in that it supports raw
tokens from subproviders (i.e. not wrapped in SPNEGO).  As a client,
you should be able to send raw kerberos tokens to IIS and get back an
appropriate response.

On 10/3/06, Mike Streeton <mike.streeton at ardentia.co.uk> wrote:
> Michael,
>    Found it in a few places after googling for
> "www-authenticate:Kerberos". I think do not think it is doing anything
> so I have take it out.
> Mike
> www.ardentia.com the home of NetSearch
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: 03 October 2006 16:06
> To: Mike Streeton
> Cc: Mike Streeton; eric.glass at gmail.com; jcifs at lists.samba.org
> Subject: Re: [jcifs] Kerberos HTTP authentication
> On Tue, 3 Oct 2006 14:57:37 +0100
> "Mike Streeton" <mike.streeton at ardentia.co.uk> wrote:
> > resp.addHeader("WWW-Authenticate", "Kerberos realm=\"mykdc\"
> > target=\"HTTP/myserver\"");
> I've never seen this header before. Did you just make this up? The
> correct header should be WWW-Authenticate: Negotiate
> <base64encodeddata>.
> Mike
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/

More information about the jcifs mailing list