On 02/10/10 05:57, Max (Weijun) Wang wrote: > Hi Wyllys > > We have a customer using apache 2.x with mod_auth_kerb as the web > server, and Java 6 as the client. In Java's HTTP implementation, when > we see a "WWW-Authenticate: Negotiate" header from the server, we > would create a SPNEGO NegTokenInit and send it back in a > WWW-Authorization header. > > Now, it looks like that the customer's web server does not accept > SPNEGO NegTokenInit, but only Kerberos AP-REQ. Is this true for the > mod_auth_kerb module?
mod_auth_kerb is does not understand GSSAPI exchanges, it only accepts raw kerberos packets. mod_auth_gss uses GSSAPI tokens so that SPNEGO can be used to negotiate the authentication method to use. mod_auth_kerb and mod_auth_gss are 2 different modules. We support mod_auth_gss on Solaris. > I want to know if there's a way to configure the module to accept the > SPNEGO token. Or, if it really only accepts Kerberos tokens, can it > send "WWW-Authenticate: Kerberos" instead of "WWW-Authenticate: > Negotiate"? I don't know, I did not write mod_auth_kerb and we do not deliver it on Solaris. Talk to the mod_auth_kerb developers. Sorry. > The customer is using RedHat Linux, but I guess it should not make > much difference. -Wyllys
