neon@webdav.org
[Top] [All Lists]

Re: [neon] Win32 SSPI Negotiate authentication with virtual host /multi-

Subject: Re: [neon] Win32 SSPI Negotiate authentication with virtual host /multi-homed
From: Alec Kloss
Date: Tue, 3 Jul 2007 08:41:32 -0500
On 2007-07-03 14:51, Yves Martin wrote:
> On Tue, 2007-07-03 at 13:20 +0100, Joe Orton wrote:
> > On Tue, Jul 03, 2007 at 01:32:55PM +0200, Yves Martin wrote:
> > > My proposal:
> > > 1. DNS lookup of original serverName ("vhost.domain.com")
> > > 2. Reverse DNS each IP address returned by "ne_addr_resolve"
> > > 3. First result is used as SPN in "HTTP/main.domain.com"
> > 
> > This seems reasonable to me.  Not sure I understand why the SSPI 
> > libraries don't do this automatically but if it is done in GSSAPI, but 
> > so be it!
> 
> That is a good point. I will look at GSSAPI sources to know more about
> its behavior.
> 
> By the way, why not compile neon against MIT kerberos GSSAPI library on
> win32 too instead of using SSPI ? I mean "is it possible to do it ?"
> 

Can we be cautious about implementing DNS-based SPN
canonicalization?  I've been working for the last few weeks on
updating my employers Subversion architecture to use mod_auth_kerb
for SSO and it's been quite the chore, in part because of
inconsistent reverse DNS.  Before proceeding, I hope 
the ideas in this thread will be considered:

http://mailman.mit.edu/pipermail/kerberos/2005-July/008167.html

I'm obviously working on a similar project, but I'm using
mod_auth_kerb rather than SSPI.  The primary perk for mod_auth_kerb
rather than SSPI is support on non-Windows clients and support for
non-Windows KDCs.  Ironically enough, Apache itself is running on
Windows.  Here are the three things of note so far:


1. I've compiled Tortoise against MIT GSSAPI, and yes, it all works
great... as long as the client has MIT KFW installed, and makes
sure they're using the correct ticket cache.  If you're using
Active Directory, you need to change the ticket cache to the MSLSA:
cache.  

2. I've hacked up mod_auth_kerb to support multiple SPN's on the
server side, so if you have a machine which tends to canonicalize
to different SPNs (mine canonicalizes into at least 7) you can
still get everything to work.  

3. I've discovered that stock TortoiseSVN 1.4.4 crashes after
authenticating to the web server.  The version I've built against
MIT works fine.

-- 
Alec Kloss  alec@xxxxxxxxxxxxxxxxxx   IM: angryspamhater@xxxxxxxxx
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
The mountain called Monkey had spoken.  There was only fire.  -Gorillaz
_______________________________________________
neon mailing list
neon@xxxxxxxxxx
http://mailman.webdav.org/mailman/listinfo/neon
<Prev in Thread] Current Thread [Next in Thread>