Hi,
At 13.14 13/11/2006, Henrik Nordstrom wrote:
>For SPNEGO the interface is slightly more complex due to the multistage
>nature of the protocol. If you know Samba ntlm_auth
>--helper-protocol=gss-spnego then this is the helper protocol we use.
>This protocol is based on the protocol we designed for NTLM
>authentication helpers many years ago, but slightly different to adopt
>for the requirements of SPNEGO.
>
>REQUEST : <command><sp><base64spnegoblob><nl>
>RESPONSE: <response><sp><base64spnegoblob|*>[<sp><details>]<nl>
>
>commands:
>
>YR Start of a new Negotiate/SPNEGO handshake.
>
>KK Additional handshake from the client
>
>responses:
>
>AF Authentication successful. The returned details indicate the username
>in ASCII or UTF-8 encoding (not UTF-16).
>
>TT Authentication not yet finished. Challenge or additional blob to send
>to the client.
>
>NA Permanent failure. Invalid credentials, request not understood, or
>some other permanent problem processing the request. Details contain an
>error message describing the condition.
>
>BH Temporary failure, for example communication error.
>
>* may be used as a placeholder for the spnego blob if no blob is
>available.
As reference you could see the mswin_sspi negotiate helper for
Windows, where the Windows native API access is almost isolated.
>As for Basic there is plans to introduce the tagged request/response
>format for these helpers as well, in which case the helper is expected
>to be able to handle multiple challenge/response channels identified by
>their tag, and optimally to be able to process multiple requests in
>parallel (at most one per channel).
>
> > Also I don't know
> > what is the situation on the client side and what HTTP clients provide
> > support for SPNEGO authN against proxies. I believe the
> Gecko-based browser
> > support that but not sure.
>
>It's not too bad these days I am told.
>
>MSIE since MSIC 7 supports it. Or at least the Vista version.
All Internet Explorer 7 versions, XP, 2003 and Vista are using proxy SPNEGO.
>Current versions of Firefox also supports it, but maybe not enabled by
>default.
Proxy SPNEGO support is enabled by default in Firefox and Seamonkey,
while the HTTP SPNEGO support must be enabled.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Nov 13 2006 - 13:36:19 MST
This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST