Hi,
At 13.14 13/11/2006, Henrik Nordstrom wrote:
For SPNEGO the interface is slightly more complex due to the multistage
nature of the protocol. If you know Samba ntlm_auth
--helper-protocol=gss-spnego then this is the helper protocol we use.
This protocol is based on the protocol we designed for NTLM
authentication helpers many years ago, but slightly different to adopt
for the requirements of SPNEGO.
REQUEST : <command><sp><base64spnegoblob><nl>
RESPONSE: <response><sp><base64spnegoblob|*>[<sp><details>]<nl>
commands:
YR Start of a new Negotiate/SPNEGO handshake.
KK Additional handshake from the client
responses:
AF Authentication successful. The returned details indicate the username
in ASCII or UTF-8 encoding (not UTF-16).
TT Authentication not yet finished. Challenge or additional blob to send
to the client.
NA Permanent failure. Invalid credentials, request not understood, or
some other permanent problem processing the request. Details contain an
error message describing the condition.
BH Temporary failure, for example communication error.
* may be used as a placeholder for the spnego blob if no blob is
available.
As reference you could see the mswin_sspi negotiate helper for
Windows, where the Windows native API access is almost isolated.
As for Basic there is plans to introduce the tagged request/response
format for these helpers as well, in which case the helper is expected
to be able to handle multiple challenge/response channels identified by
their tag, and optimally to be able to process multiple requests in
parallel (at most one per channel).
> Also I don't know
> what is the situation on the client side and what HTTP clients provide
> support for SPNEGO authN against proxies. I believe the
Gecko-based browser
> support that but not sure.
It's not too bad these days I am told.
MSIE since MSIC 7 supports it. Or at least the Vista version.
All Internet Explorer 7 versions, XP, 2003 and Vista are using proxy SPNEGO.
Current versions of Firefox also supports it, but maybe not enabled by
default.
Proxy SPNEGO support is enabled by default in Firefox and Seamonkey,
while the HTTP SPNEGO support must be enabled.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/
