Hi Henrik,
At 23.56 16/10/2005, Henrik Nordstrom wrote:
>On Sun, 16 Oct 2005, Serassio Guido wrote:
>
>>Yes, I have read (too !!!) many times this documentation before
>>have a running helper.
>>I have rearranged my code for a non fixed token exchange, it should
>>works in the worst case (I hope ....).
>
>We are probably reading different documents however.
>
>The clearest document I have read is Internet Draft
>draft-jaganathan-kerberos-http-01.txt found in the doc/rfc/
>directory of Squid-3.
Read this too .... :-)
And this technical article, very interesting:
http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-1.asp
> This documents the HTTP aspects of the Negotiate scheme. Does not
> really touch how to talk to the Windows SPNEGO SSP however, but
> does detail that the exchange may require anywhere from 1 to N
> steps, and that even in the last response may there be a blob
> returned to the client.
>
>What I would expect is that the first request requires a series of
>exchanges to set up the GSSAPI context, and that subsequent requests
>(connections) only needs a single exchange reaffirming the same
>context until the token expires.
Exactly what I was expecting before .... :-)
And every document that I have found describe a similar behaviour.
I have spent more than one day before discover that only one exchange
was needed capturing with Ethereal the network traffic between
Firefox and ISA server.
I think that probably the usage of Active Directory as Kerberos
backend changes something in the negotiation process when both server
and client are member of the same Windows domain.
The KDC runs on Domain Controllers, and the Kerberos ticket are
provided in a preauthenticated state.
After the first packet, on the client I can already see a valid
Service Token HTTP/proxy.fqdn, before any response from the proxy.
>Is there a blob returned updating the context at least?
Yes, I get a blob and it's returned to the browser.
The strange thing is that ISA Server doesn't return anything .... :-(
So I don't know if it's really used from the browser.
In the security log of the Proxy machine (both ISA and Squid) are
recorded kerberos local logon success event related to the client
user account. This means that the Kerberos service token is accepted
from the proxy machine.
>I have also tried to follow the MSDN documenation on the SPNEGO SSP
>API, but always seem to get lost somewhere.. and all those damned
>frames does not make life easier either (very hard to bookmark).
Take a look in the following pages:
http://msdn.microsoft.com/library/en-us/dnsecure/html/sspikerberos.asp
http://msdn.microsoft.com/library/en-us/secauthn/security/sspi.asp
http://msdn.microsoft.com/library/en-us/secauthn/security/using_sspi.asp
http://msdn.microsoft.com/msdnmag/issues/0500/security/toc.asp
http://msdn.microsoft.com/msdnmag/issues/0800/security/toc.asp
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sun Oct 16 2005 - 16:42:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:07 MST