I thought Kiran gave a good thought. The general SPNEGO negotiation itself doesn't involve Kerberos specifics. On the other hand, Kerberos is an important mechanism often used in the negotiation, we do need to think about what kinds of support is desired, to better support Kerberos deployment and usage covering the HTTP/REST/Browser interfaces?
Marc, would you give your thorough thoughts and details about your requirement? We need further discussion here before we dive into the support. Thanks. Regards, Kai -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Tuesday, November 24, 2015 8:29 AM To: [email protected] Subject: RE: SPNEGO negotiation support >> this negotiation happens between HTTP client and HTTP server, >> kerberos has nothing to do with it Yeah, kinds of so. It would be good if Marc could give more details. Oracle JRE provides SPNEGO support. I thought it might not hurt if Kerby also provides some similar things, in the library level. I'm not sure about this, but maybe at least Kerby can encode/decode SPNEGO negotiation messages? Anyway HTTP stuffs or whatever transport means shouldn't be involved. Regards, Kai -----Original Message----- From: Kiran Ayyagari [mailto:[email protected]] Sent: Tuesday, November 24, 2015 8:18 AM To: [email protected] Subject: Re: SPNEGO negotiation support On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <[email protected]> wrote: > Sounds great, Marc. I will continue to fix and test the path of using > TGS-REQ to request a service ticket against MIT KDC. > > >> now I just need to figure out how to convert that into a SPNEGO > negotiate header. > It would be good to support SPNEGO negotiation in Kerby. I haven't got > the time to review related specs, but the first thing would be to > implement those ASN1 types. Maybe you could fire an issue and give > those ASN1 types we need to support first? > this negotiation happens between HTTP client and HTTP server, kerberos has nothing to do with it > > Let's discuss this in a new thread. Thanks. > > Regards, > Kai > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Tuesday, November 24, 2015 4:50 AM > To: [email protected] > Subject: Re: KDC is rejecting my TGS > > OK, so that DOES get me an SGT! now I just need to figure out how to > convert that into a SPNEGO negotiate header. Any thoughts? > -- Kiran Ayyagari http://keydap.com
