On Mon, Jun 25, 2007 at 12:31:44AM -0700, Henry B. Hotz wrote:
>
> On Jun 24, 2007, at 11:03 PM, Magnus Hagander wrote:
>
> >>I'm told that the way Apple's equivalent to mod_auth_kerb works is it
> >>uses GSS_C_NO_CREDENTIAL and then does a case-insensitive compare of
> >>the resulting match to "HTTP". We could do the same thing, if you
> >>think it's worth it.
> >
> >Do you know if this is documented somewhere? It's always nice with
> >references.
>
> Not as far as I know, publicly.
>
> I heard most of it from an Apple developer at the 2005 WWDC (and I
> inferred the rest from things Sam Hartman has said). I guess that
> technically puts it under NDA, except I think the code in question is
> open source. I don't know which project it's in so I haven't been
> able to locate it to verify what I said for sure.
Ok. no problem.
> What I can say for certain concerns the client side. Apple's Safari
> browser went through at least two iterations before they got it
> right: 1) in OSX 10.3 Safari would ask for a "server/
> server.example.com" service ticket. 2) in early 10.4 Safari would
> ask for a "http/server.example.com" service ticket (this actually
> works fine if have Active Directory as your Kerberos server, and IIS,
> or Apple as your web server). 3) in later 10.4 Safari asks for a
> "HTTP/server.example.com" service ticket. This is the correct thing
> to do.
>
> Due to the numbers of people talking to Apple about the situation
> (state 2) during that WWDC, they publicly acknowledged the problem
> and promised to fix it during the same WWDC. If you have access to
> the video recordings you can probably find the relevant session in
> the latter half of the week.
>
> The key technical point is that Kerberos is case sensitive, but
> Windows Kerberos isn't. We can deal with that how we choose, but I
> kind of like Apple's solution. It's annoying to have to put two
> service principals in the keytab, but I personally prefer that to
> going upper-case only just 'cause that's the only way Windows SSPI
> clients can work with non-Windows servers.
Interesting, indeed. I think gonig down the same approach they were using
is the best way to do, so I've changed my working copy back to that
version, and will update the documentation with that information.
//Magnus