Re: http/spnego connections

["Saqib Ali" <docbook.xml () gmail com>]

Hi Adam,

As far as I understand SPNEGO is a kerberos implementation for web
browsers. So it works the same way as a kerberos client would, i.e.
once you get the ticket it is valid for certain amount of time. You
don't need a persistent connection.

The ticket that the client gets from the Ticket Granting Server has
the following syntax:

Ticket (client, service) : service, [client, client address, validity,
Key(client, service)]Key(client, TGS)

Where "service" is the the resource that the client is trying to
access. In this case, the Web application.
"Validity" tells how long the ticket should be valid for. You can
force expire tickets on kerborized applications/client.

On Active Directory you can the set the ticket lifetime in the
Kerberos Policy setting using Group Policy Managment Console.

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------