The options available in this section are specific to Kerberos tokens
received over HTTP and are only relevant when the
SPNEGO Over HTTP option is selected above.
Cookie Name:
The initial handshake between a Kerberos Client and Service can sometimes
involve the exchange of a series of request and responses until the
secure context has been established. In such cases, an HTTP cookie can
be used to keep track of the context across multiple request and response
messages. Enter the name of this cookie in the field provided.
Allow Client Challenge:
In some cases, the client may not authenticate (i.e. send the
Authorization HTTP header) to the Kerberos Service
on its first request. The Kerberos Service should then should respond
with an HTTP 401 response code, instructing the client to authenticate to
the server by sending up the Authorization header.
The client then sends up a second request, this time with the
Authorization header, which contains the relevant
Kerberos token. Check this option if you want to allow this type of
negotiation between the client and service.
Client Sends Body Only After Context is Established:
The Kerberos client may wait to mutually authenticate the Kerberos
service before sending the body of the message. If this setting is
enabled, the Kerberos service will accept the body after the context has
been established if the client provides the known cookie. The cookies
are cached in the configured cache.
|