[37565] in Kerberos
Re: GSSAPI and SPNEGO question
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 11 18:40:24 2016
To: JSoet <jordan.soet@ca.ibm.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <57842042.1080804@mit.edu>
Date: Mon, 11 Jul 2016 18:40:02 -0400
MIME-Version: 1.0
In-Reply-To: <1468275289594-45704.post@n3.nabble.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/11/2016 06:14 PM, JSoet wrote:
> I'm just trying to understand why this works? Am I misunderstanding the
> specification and the whole SPNEGO token is supposed to be passed into the
> GSSAPI call and all the details about how the token is structured are just
> for the GSSAPI implementors?
SPNEGO is intended to be used just like any other GSS mechanism. It has
an OID (1.3.6.1.5.5.2), and its tokens are framed with this OID and can
be distinguished from tokens for other mechanisms. RFC 4178 is there
for the benefit of the mechanism implementor.
(I'm not 100% sure this is also true on Microsoft using SSPI, but it's
definitely the case for MIT krb5 and Heimdal.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
