Vadim, I suggest we discuss this offline since there is no need to copy verybody at [EMAIL PROTECTED]
Anyway, we are already aware of the support in IE and IIS/ISA and its restrictions. Our product architecture supports proxy servers as well as non-proxy servers because we designed it to do so. We can also support ISA if needed. Cheers, Tim. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 13:36 To: [EMAIL PROTECTED] Subject: Re: GSSAPI x Kerberos Hi guys, Tim, how are you? ;-) A couple of related notes: MSIE 5+ installed on Windows 2000+ domain member supports Kerberos protocol for INTEGRATED authentication. In addition, it supports NTLM, but Kerberos is a preferable method if noth the server and the client support it (the choice of the strongest available protocol is required by RFC 2617). In most cases, in order to work properly, "Enable Integrated Windows Authentication" option should be turned on (check MS KB299838 for instructions). Such authentication works fine between MSIE and different Microsoft application services, supporting integrated authentication(e.g. IIS). However pay attention - MSIE supports Kerberos authentication with remote application servers ONLY, while it doesn't work with proxy (by design, refer to MS KB321728. This is a huge disadvantage since many organizations have MS ISA proxy servers, and have to disable integrated authentication because Kerberos is not supported, and NTLM is not secured enough (in addition to the protocol itself, NTLM-based integrated authentication requires a lot of unsecured connections between ISA and Domain Controller, such as cleartext LDAP, RPC etc). Tim, a question to you - is it possible to use client-side WebAccess MSIE plugin in order to allow Kerberos-based authentication with ISA server? Hope it helps, Vadim ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
