[jcifs] Kerberos HTTP authentication
Eric Glass
eric.glass at gmail.com
Tue Oct 3 16:24:26 GMT 2006
I don't think IE supports a "raw" Kerberos auth mechanism. There were
some various initiatives at kerberizing http prior to Microsoft's
Negotiate/SPNEGO-based approach; this may have been on of those.
One thing that's mildly interesting to note is that MS's "Negotiate"
SSPI provider is non-conformant to SPNEGO in that it supports raw
tokens from subproviders (i.e. not wrapped in SPNEGO). As a client,
you should be able to send raw kerberos tokens to IIS and get back an
appropriate response.
On 10/3/06, Mike Streeton <mike.streeton at ardentia.co.uk> wrote:
> Michael,
> Found it in a few places after googling for
> "www-authenticate:Kerberos". I think do not think it is doing anything
> so I have take it out.
>
> Mike
>
> www.ardentia.com the home of NetSearch
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: 03 October 2006 16:06
> To: Mike Streeton
> Cc: Mike Streeton; eric.glass at gmail.com; jcifs at lists.samba.org
> Subject: Re: [jcifs] Kerberos HTTP authentication
>
> On Tue, 3 Oct 2006 14:57:37 +0100
> "Mike Streeton" <mike.streeton at ardentia.co.uk> wrote:
>
> > resp.addHeader("WWW-Authenticate", "Kerberos realm=\"mykdc\"
> > target=\"HTTP/myserver\"");
>
> I've never seen this header before. Did you just make this up? The
> correct header should be WWW-Authenticate: Negotiate
> <base64encodeddata>.
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>
More information about the jcifs
mailing list