httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Spreitzer" <>
Subject RE: Kerberos authentication and authentication (proxy ticket forwarding)
Date Sat, 06 Nov 1999 11:54:25 GMT
> I would support it very much. Implementing it, though, gets legally
> dicey, unfortunately. Hmmmm, though Bones was exportable. I'll let the
> heavyweights answer this one.

I will too, however I'll note a reason I'm hopeful of a good outcome.  I
expect that what needs to be written down is simply a very straightforward
application of a very few existing standards.  I suspect that the necessary
Apache module could be written by someone that already has the necessary
background in about a day.  If worse comes to worse, I expect there are
people living in free countries who are qualified to write such a module.

> My understanding (and this is out-of-date information) was that the
> implementation [of Kerberos in Win2K] would be different enough to be
> incompatible. Has this changed?

In my previous reply I indicated that I understand Win2K to use a
specialization of Kerberos.  That means that general Kerberos code should
work on Win2K as well as elsewhere.  More specifically: any code that
doesn't care what's in the "authorization data" field of a ticket will work
just fine.  I expect that's a lot of clients and servers (as they'll just
discriminate on names), and strongly expect it includes middleware like web
browsers and servers.

In this neighborhood lurks a messy detail: the way in which Kerberos
credentials are managed locally varies from OS to OS.  I'm not an expert,
but I think that in UNIX the actual tickets are kept in some magic system
process.  In Win2K, the SSPI is used to get the tickets into and out of the
local security infrastructure.  So there has to be some OS-dependent code.
But I suspect it won't be an intolerable amount.


View raw message