[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos support in standard services



On Thu, 2005-07-07 at 01:16 +0100, sxw@dcs.ed.ac.uk wrote:

> > Also SASL would be better... What is the current
> > status of this module. Does it still exist?
> 
> I don't think you could do general-purpose SASL over HTTP, as it requires 
> multiple 'rounds' from the underlying transport. HTTP, being stateless, 
> just gives you one shot.

The hack that Microsoft did for this was to tie the authentication to
the TCP socket, and require that it be kept open.  They used this for
NTLMSSP, as well as for SPNEGO (which may choose NTLMSSP or Kerberos).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part