Yep, will do. MS actually has a really good article detailing the asn.1 structure. On Nov 23, 2015 9:45 PM, "Zheng, Kai" <[email protected]> wrote:
> Ok, that's fine. Back to my previous email, comments? > >>but the first thing would be to implement those ASN1 types. Maybe you > could fire an issue and give those ASN1 types we need to support first? > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Tuesday, November 24, 2015 10:12 AM > To: [email protected] > Subject: RE: SPNEGO negotiation support > > So while technically spnego is supposed to be independent of kerberos from > a practical standpoint spnego isn't used without kerberos. Java does come > with a gssapi implementation but its tied to the hip to its kerberos > implementation and its not something that I can just call with a ticket and > generate a negotiate header. > On Nov 23, 2015 7:50 PM, "Zheng, Kai" <[email protected]> wrote: > > > I thought Kiran gave a good thought. The general SPNEGO negotiation > > itself doesn't involve Kerberos specifics. On the other hand, Kerberos > > is an important mechanism often used in the negotiation, we do need to > > think about what kinds of support is desired, to better support > > Kerberos deployment and usage covering the HTTP/REST/Browser interfaces? > > > > Marc, would you give your thorough thoughts and details about your > > requirement? We need further discussion here before we dive into the > > support. Thanks. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Tuesday, November 24, 2015 8:29 AM > > To: [email protected] > > Subject: RE: SPNEGO negotiation support > > > > >> this negotiation happens between HTTP client and HTTP server, > > >> kerberos has nothing to do with it > > Yeah, kinds of so. It would be good if Marc could give more details. > > > > Oracle JRE provides SPNEGO support. I thought it might not hurt if > > Kerby also provides some similar things, in the library level. I'm not > > sure about this, but maybe at least Kerby can encode/decode SPNEGO > > negotiation messages? Anyway HTTP stuffs or whatever transport means > > shouldn't be involved. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Kiran Ayyagari [mailto:[email protected]] > > Sent: Tuesday, November 24, 2015 8:18 AM > > To: [email protected] > > Subject: Re: SPNEGO negotiation support > > > > On Tue, Nov 24, 2015 at 7:05 AM, Zheng, Kai <[email protected]> wrote: > > > > > Sounds great, Marc. I will continue to fix and test the path of > > > using TGS-REQ to request a service ticket against MIT KDC. > > > > > > >> now I just need to figure out how to convert that into a SPNEGO > > > negotiate header. > > > It would be good to support SPNEGO negotiation in Kerby. I haven't > > > got the time to review related specs, but the first thing would be > > > to implement those ASN1 types. Maybe you could fire an issue and > > > give those ASN1 types we need to support first? > > > > > this negotiation happens between HTTP client and HTTP server, kerberos > > has nothing to do with it > > > > > > > > Let's discuss this in a new thread. Thanks. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Marc Boorshtein [mailto:[email protected]] > > > Sent: Tuesday, November 24, 2015 4:50 AM > > > To: [email protected] > > > Subject: Re: KDC is rejecting my TGS > > > > > > OK, so that DOES get me an SGT! now I just need to figure out how > > > to convert that into a SPNEGO negotiate header. Any thoughts? > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > >
