httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Spreitzer" <sprei...@parc.xerox.com>
Subject RE: Kerberos authentication and authentication (proxy ticket forwarding)
Date Sat, 06 Nov 1999 01:28:30 GMT
> > ... it being the basis
> > for Windows 2000 security).
>
> My understanding (and this is out-of-date information) was that the
> implementation would be different enough to be annoyingly
> incompatible. Has this changed?

My understanding is that Windows 2000 will use a specialization of Kerberos
v5.  That is, every ticket Win2K produces will indeed be a real Kerberos v5
ticket, but not every K5 ticket will be equally useful to Win2K.
Specifically, Win2K has a specific idea of what appears in the
"authorization data" field of a ticket.  I've seen this asserted in a
number of places.  One example is the on-line MSDN site; see
<http://msdn.microsoft.com/library/backgrnd/html/msdn_distsecserv.htm> for
example (look in the section entitled "Kerberos Interoperability").  Note
that said page also has a vague reference to RFC 1964, and it's been
suggested that IE & IIS use this in their Kerberos flavor of HTTP
authentication.

Mike


Mime
View raw message