|
Posted by Roger Abell [MVP] on September 14, 2006, 2:41 am
Please log in for more thread options
Hi Patrick,
I do not have answers to all that you ask - just setting expectations.
I do want to clarify a few things however.
If you implement all that you indicate you may be attempting then
you would probably be nearly marketable, as I assume your searchs
have indicated that this is not a well-filled area.
Let us clear some things up.
> (1) If a client uses the Microsoft SSPI interface and SPNEGO,
> can a server use the JGSS APIs or does the server also
> have to use the Microsoft SSPI interface?
Windows WILL use SSPI, which is an abstraction layer introduced
with W2k to allow authentication mechanisms to be abstracted away
from the Windows internals of an account being used. This layer
can be used by any of a number of authentication providers, and the
SPNEGO is the process of the two parties finding (what Windows
considers to be the strongest) one of them that they have in common.
Windows has been involved with GSS since it was just draft, and
JGSS (which has multiple implementations) is supposed to be fully
GSS std satisfying (in its implementations), just as Windows is
supposed to meet the GSS spec.
So, does that mean you can write something that uses JGSS to
authenticate to Windows ??
Not really.
GSS is only, so to speak, a transport. It is used by the two parties
to establish a secure communications channel. But GSS does not
specify the authenticator or restrict the form of identity info used.
However, I have never noticed mention of GSS in any way in
Windows except in conjunction with use of Kerberos.
That is where this part comes in
> I'm confused why some articles say that I need to create kerberos
> service tickets and some do not.
Kerberos serves as the default authenticator of choice (preferred
in the SPNEGO negotiation if in common between the parties) in
all post NT4 Windows.
So, coming from perspective of writing a Java implementation of
something, running on non-Windows, you face a couple of issues.
That which you posted about, ie. can you find a JGSS implementation
that will work with Windows (i.e. as a client in a Kerberos realm)
and/or with Windows AD.
And, the other, can you find a way to have credentials in common
between your app / its system and the Windows you articulate with.
Kerberos would be the form of choice, but you would need to deal
with standards allowed variances in just how Kerberos is used by
each - specifically the encryption algorithms used and Microsoft PAC
use of Kerberos' ability to carry implementation specific "extra" info
(which Windows uses for the user tokenization, i.e. the PAC).
I notice that IBM docs appear to indicate that the IBM JGSS does
articulate with Windows and Windows AD, having the support for
the needed RC4 HMAC encryption
Clear as mud, right? And that was only partial and a small step
above hand waving <g>
Roger
> I've been looking into single sign-on solutions using SPNEGO.
> There's a lot of articles written about it so I've done a lot
> of reading and some playing.
>
> I've got a couple questions that I'm hoping someone can answer.
>
> (1) If a client uses the Microsoft SSPI interface and SPNEGO,
> can a server use the JGSS APIs or does the server also
> have to use the Microsoft SSPI interface?
>
> From what I've read, I get the impression that this is
> possible, but I haven't seen anyone else ask this question
> or seen an answer.
>
> My gut feeling is that it is not possible.
>
> (2) Are there any open source Java based solutions
> that use SPNEGO? I've seen something called Tagish
> See http://www.theserverside.com/tt/blogs/showblog.tss?id=ServletApp
>
> Are there others that anyone knows of?
>
> (3) Are there any sample Java programs that implement trusted services?
> The only thing I've found so far is from a company called
> AppliedCrypto http://www.appliedcrypto.com.
> I'm still looking at it so I don't (yet) have comments.
>
> I'm confused why some articles say that I need to create kerberos
> service tickets and some do not.
>
> Thanks,
> Patrick
| 
XML Sitemap