So while technically spnego is supposed to be independent of kerberos from a practical standpoint spnego isn't used without kerberos. Java does come with a gssapi implementation but its tied to the hip to its kerberos implementation and its not something that I can just call with a ticket and generate a negotiate header. On Nov 23, 2015 7:50 PM, "Zheng, Kai" <[email protected]> wrote:
> I thought Kiran gave a good thought. The general SPNEGO negotiation itself > doesn't involve Kerberos specifics. On the other hand, Kerberos is an > important mechanism often used in the negotiation, we do need to think > about what kinds of support is desired, to better support Kerberos > deployment and usage covering the HTTP/REST/Browser interfaces? > > Marc, would you give your thorough thoughts and details about your > requirement? We need further discussion here before we dive into the > support. Thanks. > > Regards, > Kai > > -----Original Message----- > From: Zheng, Kai [mailto:[email protected]] > Sent: Tuesday, November 24, 2015 8:29 AM > To: [email protected] > Subject: RE: SPNEGO negotiation support > > >> this negotiation happens between HTTP client and HTTP server, > >> kerberos has nothing to do with it > Yeah, kinds of so. It would be good if Marc could give more details. > > Oracle JRE provides SPNEGO support. I thought it might not hurt if Kerby > also provides some similar things, in the library level. I'm not sure about > this, but maybe at least Kerby can encode/decode SPNEGO negotiation > messages? Anyway HTTP stuffs or whatever transport means shouldn't be > involved. > > Regards, > Kai > > -----Original Message----- > From: Kiran Ayyagari [mailto:[email protected]] > Sent: Tuesday, November 24, 2015 8:18 AM > To: [email protected] > Subject: Re: SPNEGO negotiation support > > On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <[email protected]> wrote: > > > Sounds great, Marc. I will continue to fix and test the path of using > > TGS-REQ to request a service ticket against MIT KDC. > > > > >> now I just need to figure out how to convert that into a SPNEGO > > negotiate header. > > It would be good to support SPNEGO negotiation in Kerby. I haven't got > > the time to review related specs, but the first thing would be to > > implement those ASN1 types. Maybe you could fire an issue and give > > those ASN1 types we need to support first? > > > this negotiation happens between HTTP client and HTTP server, kerberos has > nothing to do with it > > > > > Let's discuss this in a new thread. Thanks. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Tuesday, November 24, 2015 4:50 AM > > To: [email protected] > > Subject: Re: KDC is rejecting my TGS > > > > OK, so that DOES get me an SGT! now I just need to figure out how to > > convert that into a SPNEGO negotiate header. Any thoughts? > > > > > > -- > Kiran Ayyagari > http://keydap.com >
