The following fields can be configured on this tab:
Mechanism:
Select the mechanism used to establish a context between the Enterprise Gateway
and the Kerberos service. The Kerberos service must use the same
mechanism.
Mutual Authentication:
Request that mutual authentication be carried out during context setup,
i.e. the service authenticates back to the client. For the SPNEGO
mechanism this must be turned on.
Integrity:
Enables data integrity for GSS operations.
Confidentiality:
Enables data confidentiality for GSS operations.
Credential Delegation:
Request that the initiator's credentials be delegated to the acceptor
during context setup. When this option is checked, the acceptor can
then assume the initiator's identity and authenticate to other Kerberos
services on behalf of the initiator.
Anonymity:
Request that the client's identity is not disclosed to the service.
Replay Detection:
Enables replay detection for the per-message security services after
context establishment.
Sequence Checking:
Turns on sequence checking for the per-message security services
after context establishment.
Synchronize to Avoid Replays Errors at Service:
In cases where the Kerberos Client is running "under stress" and is
attempting to send many requests to a Kerberos Service within a very
short (millisecond) timeframe, it is possible that sequential Kerberos
Authenticator tokens generated by the client will
contain identical values for the ctime (i.e. the
current time on the client's host) and cusec (i.e.
the microsecond portion of the client's timestamp) fields.
Since Kerberos Service implementations often compare the ctime and cusec
values on successive Authenticator tokens to determine replay attacks,
it is possible that the Service will reject Authenticator requests in
which the ctime and cusec fields have the same value.
To avoid situations where the Client may generate successive Authenticator
requests (for a particular Service) in which the ctime and cusec fields
are identical, you can select this option to synchronize the creation of
the Authenticator requests. The Authenticator request generation will
be synchronized using the Pause Time field below.
Pause Time:
Specify the time interval (in milliseconds) to wait before generating
client-side Authenticator tokens when synchronizing to avoid
over-zealous replay detection at the Kerberos Service. This field is only
enabled if the Synchronize to Avoid Replays Errors at Service
checkbox is checked above.
It is important to note here that the default value of 15 milliseconds
matches the clock resolution time of operating systems such as Windows.
Consult your operating system documentation for more information on the
clock resolution for your target system.
|