directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: SPNEGO negotiation support
Date Tue, 24 Nov 2015 02:44:47 GMT
Ok, that's fine. Back to my previous email, comments?
>>but the first thing would be to implement those ASN1 types. Maybe you could fire an
issue and give those ASN1 types we need to support first?

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Tuesday, November 24, 2015 10:12 AM
To: kerby@directory.apache.org
Subject: RE: SPNEGO negotiation support

So while technically spnego is supposed to be independent of kerberos from a practical standpoint
spnego isn't used without kerberos. Java does come with a gssapi implementation but its tied
to the hip to its kerberos implementation and its not something that I can just call with
a ticket and generate a negotiate header.
On Nov 23, 2015 7:50 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:

> I thought Kiran gave a good thought. The general SPNEGO negotiation 
> itself doesn't involve Kerberos specifics. On the other hand, Kerberos 
> is an important mechanism often used in the negotiation, we do need to 
> think about what kinds of support is desired, to better support 
> Kerberos deployment and usage covering the HTTP/REST/Browser interfaces?
>
> Marc, would you give your thorough thoughts and details about your 
> requirement? We need further discussion here before we dive into the 
> support. Thanks.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Zheng, Kai [mailto:kai.zheng@intel.com]
> Sent: Tuesday, November 24, 2015 8:29 AM
> To: kerby@directory.apache.org
> Subject: RE: SPNEGO negotiation support
>
> >> this negotiation happens between HTTP client and HTTP server, 
> >> kerberos has nothing to do with it
> Yeah, kinds of so. It would be good if Marc could give more details.
>
> Oracle JRE provides SPNEGO support. I thought it might not hurt if 
> Kerby also provides some similar things, in the library level. I'm not 
> sure about this, but maybe at least Kerby can encode/decode SPNEGO 
> negotiation messages? Anyway HTTP stuffs or whatever transport means 
> shouldn't be involved.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Kiran Ayyagari [mailto:kayyagari@apache.org]
> Sent: Tuesday, November 24, 2015 8:18 AM
> To: kerby@directory.apache.org
> Subject: Re: SPNEGO negotiation support
>
> On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Sounds great, Marc. I will continue to fix and test the path of 
> > using TGS-REQ to request a service ticket against MIT KDC.
> >
> > >> now I just need to figure out how to convert that into a SPNEGO
> > negotiate header.
> > It would be good to support SPNEGO negotiation in Kerby. I haven't 
> > got the time to review related specs, but the first thing would be 
> > to implement those ASN1 types. Maybe you could fire an issue and 
> > give those ASN1 types we need to support first?
> >
> this negotiation happens between HTTP client and HTTP server, kerberos 
> has nothing to do with it
>
> >
> > Let's discuss this in a new thread. Thanks.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Tuesday, November 24, 2015 4:50 AM
> > To: kerby@directory.apache.org
> > Subject: Re: KDC is rejecting my TGS
> >
> > OK, so that DOES get me an SGT!  now I just need to figure out how 
> > to convert that into a SPNEGO negotiate header.  Any thoughts?
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Mime
View raw message