GNULinux

It took me literally tens of hours to figure out how to do SPNEGO proxy authentication for JAVAs builtin HTTP routines. So let me share my results:

1. Documentation sucks as hell


2. Documentation sucks as hell, and there is plenty of it


3. JAVAs implementation of GSSAPI and Kerberos:
   a) fail to establish a security context with my MIT krb services (I was neither able to authenticate agains mod_auth_kerb and my squid negotiate helper),
   b) are a nightmare to configure and
   c) seem to be unable (without really ugly hacks) to obtain the credentials from MIT's default credential cache (are not using KRB5CCNAME env)


4. Fortunatly JAVA SE6 has a so called native Mode for JGSS - which you need to find first - see http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html - this setting makes JAVA use your GSSAPI Library instead of their fucked upenterpricy library

To make your Java Applications integrate with your well-established Kerberos SSO just set

export _JAVA_OPTIONS="-Dsun.security.jgss.native=true -Dsun.security.jgss.lib=/usr/lib/libgssapi_krb5.so -Dhttp.auth.preference=spnego -Dhttp.proxyHost= -Dhttp.proxyPort="

(Location of your gssapi library might differ)

Kerberos has been the de-facto industry standard for Single-Sign-On for many years but not yet been widely adapted for intranet/web-applications. Firefox supports GSSAPI (on Linux/Unix and Windows - using MIT Kerberos for Windows (KfW)) and SSPI (Windows) for Kerberos authentication quite a while, usable since version 1.5.

Because Microsoft also uses NTLM for SSO purposes they invented a GSSAPI pseudo-mechanism named SPNEGO to do negotiating of which of the protocols to use - fortunately MIT kerberbos (since version 1.5) supports SPNEGO (thanks to SUN donating a implementation) so we can use MITs GSSAPI library for the server side. SPNEGO is yet only supported on Linux platforms (KfW 3.1 includes a krb library of version 1.4.5 - 3.2 which is currently in beta status will have 1.6+) but at least Mozilla will automatically fall back to plain kerberos authentication which in case of a MIT server side will perfectly work.

Update: KfW 3.2 has been released today - SPNEGO now works on Windows.

I have not yet had a chance to experiment in a SSPI environment and there are rumors about Microsoft not implementing their own protocol (SPNEGO) correctly, so I cannot really say whether it is compatible.

There is a (not yet standardized) extension to the HTTP/1.1 specification which specifies the "HTTP negotiate" authentication method. We try to use it for SSO on web-applications and web-resources.

I wrote a PHP extension which gives server side support for this kind of authentication. Continue reading for directions on how to use it...