directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject RE: SPNEGO negotiation support
Date Tue, 24 Nov 2015 02:51:59 GMT
Yep, will do. MS actually has a really good article detailing the asn.1
structure.
On Nov 23, 2015 9:45 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:

> Ok, that's fine. Back to my previous email, comments?
> >>but the first thing would be to implement those ASN1 types. Maybe you
> could fire an issue and give those ASN1 types we need to support first?
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Tuesday, November 24, 2015 10:12 AM
> To: kerby@directory.apache.org
> Subject: RE: SPNEGO negotiation support
>
> So while technically spnego is supposed to be independent of kerberos from
> a practical standpoint spnego isn't used without kerberos. Java does come
> with a gssapi implementation but its tied to the hip to its kerberos
> implementation and its not something that I can just call with a ticket and
> generate a negotiate header.
> On Nov 23, 2015 7:50 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:
>
> > I thought Kiran gave a good thought. The general SPNEGO negotiation
> > itself doesn't involve Kerberos specifics. On the other hand, Kerberos
> > is an important mechanism often used in the negotiation, we do need to
> > think about what kinds of support is desired, to better support
> > Kerberos deployment and usage covering the HTTP/REST/Browser interfaces?
> >
> > Marc, would you give your thorough thoughts and details about your
> > requirement? We need further discussion here before we dive into the
> > support. Thanks.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:kai.zheng@intel.com]
> > Sent: Tuesday, November 24, 2015 8:29 AM
> > To: kerby@directory.apache.org
> > Subject: RE: SPNEGO negotiation support
> >
> > >> this negotiation happens between HTTP client and HTTP server,
> > >> kerberos has nothing to do with it
> > Yeah, kinds of so. It would be good if Marc could give more details.
> >
> > Oracle JRE provides SPNEGO support. I thought it might not hurt if
> > Kerby also provides some similar things, in the library level. I'm not
> > sure about this, but maybe at least Kerby can encode/decode SPNEGO
> > negotiation messages? Anyway HTTP stuffs or whatever transport means
> > shouldn't be involved.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Kiran Ayyagari [mailto:kayyagari@apache.org]
> > Sent: Tuesday, November 24, 2015 8:18 AM
> > To: kerby@directory.apache.org
> > Subject: Re: SPNEGO negotiation support
> >
> > On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > Sounds great, Marc. I will continue to fix and test the path of
> > > using TGS-REQ to request a service ticket against MIT KDC.
> > >
> > > >> now I just need to figure out how to convert that into a SPNEGO
> > > negotiate header.
> > > It would be good to support SPNEGO negotiation in Kerby. I haven't
> > > got the time to review related specs, but the first thing would be
> > > to implement those ASN1 types. Maybe you could fire an issue and
> > > give those ASN1 types we need to support first?
> > >
> > this negotiation happens between HTTP client and HTTP server, kerberos
> > has nothing to do with it
> >
> > >
> > > Let's discuss this in a new thread. Thanks.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > > Sent: Tuesday, November 24, 2015 4:50 AM
> > > To: kerby@directory.apache.org
> > > Subject: Re: KDC is rejecting my TGS
> > >
> > > OK, so that DOES get me an SGT!  now I just need to figure out how
> > > to convert that into a SPNEGO negotiate header.  Any thoughts?
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message