directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject RE: SPNEGO negotiation support
Date Tue, 24 Nov 2015 02:11:54 GMT
So while technically spnego is supposed to be independent of kerberos from
a practical standpoint spnego isn't used without kerberos. Java does come
with a gssapi implementation but its tied to the hip to its kerberos
implementation and its not something that I can just call with a ticket and
generate a negotiate header.
On Nov 23, 2015 7:50 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:

> I thought Kiran gave a good thought. The general SPNEGO negotiation itself
> doesn't involve Kerberos specifics. On the other hand, Kerberos is an
> important mechanism often used in the negotiation, we do need to think
> about what kinds of support is desired, to better support Kerberos
> deployment and usage covering the HTTP/REST/Browser interfaces?
>
> Marc, would you give your thorough thoughts and details about your
> requirement? We need further discussion here before we dive into the
> support. Thanks.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Zheng, Kai [mailto:kai.zheng@intel.com]
> Sent: Tuesday, November 24, 2015 8:29 AM
> To: kerby@directory.apache.org
> Subject: RE: SPNEGO negotiation support
>
> >> this negotiation happens between HTTP client and HTTP server,
> >> kerberos has nothing to do with it
> Yeah, kinds of so. It would be good if Marc could give more details.
>
> Oracle JRE provides SPNEGO support. I thought it might not hurt if Kerby
> also provides some similar things, in the library level. I'm not sure about
> this, but maybe at least Kerby can encode/decode SPNEGO negotiation
> messages? Anyway HTTP stuffs or whatever transport means shouldn't be
> involved.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Kiran Ayyagari [mailto:kayyagari@apache.org]
> Sent: Tuesday, November 24, 2015 8:18 AM
> To: kerby@directory.apache.org
> Subject: Re: SPNEGO negotiation support
>
> On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Sounds great, Marc. I will continue to fix and test the path of using
> > TGS-REQ to request a service ticket against MIT KDC.
> >
> > >> now I just need to figure out how to convert that into a SPNEGO
> > negotiate header.
> > It would be good to support SPNEGO negotiation in Kerby. I haven't got
> > the time to review related specs, but the first thing would be to
> > implement those ASN1 types. Maybe you could fire an issue and give
> > those ASN1 types we need to support first?
> >
> this negotiation happens between HTTP client and HTTP server, kerberos has
> nothing to do with it
>
> >
> > Let's discuss this in a new thread. Thanks.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Tuesday, November 24, 2015 4:50 AM
> > To: kerby@directory.apache.org
> > Subject: Re: KDC is rejecting my TGS
> >
> > OK, so that DOES get me an SGT!  now I just need to figure out how to
> > convert that into a SPNEGO negotiate header.  Any thoughts?
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message