httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die." <ron...@innovation.ch>
Subject Re: Kerberos authentication and authentication (proxy ticket forwarding)
Date Sat, 06 Nov 1999 16:58:30 GMT
One day, Mike Spreitzer wrote:
> 
> My understanding is that Windows 2000 will use a specialization of Kerberos
> v5.  That is, every ticket Win2K produces will indeed be a real Kerberos v5
> ticket, but not every K5 ticket will be equally useful to Win2K.
> Specifically, Win2K has a specific idea of what appears in the
> "authorization data" field of a ticket.  I've seen this asserted in a
> number of places.  One example is the on-line MSDN site; see
> <http://msdn.microsoft.com/library/backgrnd/html/msdn_distsecserv.htm> for
> example (look in the section entitled "Kerberos Interoperability").  Note
> that said page also has a vague reference to RFC 1964, and it's been
> suggested that IE & IIS use this in their Kerberos flavor of HTTP
> authentication.

Quick question (I haven't looked at the RFC's etc yet): Are they doing
real http authentication, or are they doing connection authentication?
The reason I ask is that M$ have the NTLM (sometimes also referred to
as NTCR) authentication method in IE/IIS, but that thing, while
pretending to look like an http authorization method, is really a
connection authentication that happens to use HTTP header syntax. Since
they manage to screw up so often I'm just wondering...


  Cheers,

  Ronald


Mime
View raw message