The GSSAPI Properties dialog can be accessed by clicking on the Properties button in the Authentication group of the Connection/SSH2  category of the Session Options dialog when GSSAPI is the specified authentication method.

GSSAPI (Generic Security Services Application Program Interface) is a generic API for performing client /server authentication. GSSAPI allows SecureFX to authenticate with a server without knowing anything about the specific authentication mechanism in use.

Method

SecureFX supports the following types of GSSAPI provider:

Generate/BULLET.gif    MS Kerberos - In order to use this provider, SecureFX must be running on Windows 2000 or newer. The Windows 2000 computer must have been configured as part of an Active Directory domain or been configured to participate in a Kerberos realm.

Generate/BULLET.gif    GSSAPI - In order to use this provider, you must have a Gssapi32.dll file provided by a third party (e.g., the MIT Kerberos distribution). This third-party application must be configured correctly for your environment.

Generate/BULLET.gif    Auto Detect - This setting instructs SecureFX to attempt to automatically determines which of the above two methods will work with the server that you are connecting to. This is the recommended setting.

Delegation

When SecureFX authenticates with GSSAPI, it can control whether or not the server is allowed to access other secured resources (such as network file servers) without further prompting for credentials. SecureFX supports the following delegation settings:

Generate/BULLET.gif    Full - If this delegation is selected and the GSSAPI mechanism both supports delegation and is configured to allow delegation, the server may be able to access other secured resources without prompting for credentials.

Generate/BULLET.gif    None - If this delegation is selected, the server may have to prompt for further authentication in order to access secured resources such as network files, printers, or to log on to a different server.

Generate/BULLET.gif    Limited - This delegation is the same as Full delegation for the MS Kerberos method. If the GSSAPI method is in use, it's meaning is determined by the Gssapi32.dll in use.

Advanced >>

Pressing this button expands (or contracts) the GSSAPI Properties dialog to display (or hide) the following options.

SPN (Server Principal Name) group

When authenticating with GSSAPI, SecureFX must determine the canonical name of a server. The server has exactly one canonical name, which no other server can share. The server may have other names, for example, the server 192.168.20.1 may be known as mail.mydomain.com, mydomain.com and mail, but it has only one canonical name, mail.mydomain.com.

SecureFX uses this canonical name to form a Server Principal Name (SPN) which the GSSAPI provider uses to identify the server with which it should authenticate.

SecureFX usually uses the host variable (HOST) to determine the server SPN. This however, depends on hostname lookups working correctly. If this does not work correctly, this behavior can be overridden by manually specifying the SPN.

Manually specify the SPN (default is host@$(HOST))

Checking this box will enable the SPN text box below and allow you to manually specify the SPN.

SPN

Enter the SPN string. The string is almost always of the form host@<server canonical name>. An example of a valid string is "host@mail.mydomain.com". SecureFX will make the following variable substitutions in the specified SPN name:

Generate/BULLET.gif    $(HOST) - the hostname as specified in the Session Options/Connection/SSH2 category.

Generate/BULLET.gif    $(PORT) - the port as specified in the Session Options/Connection/SSH2 category

If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., host@mail.mydomain.com@KRBS.MYDOMAIN.COM).

Related Topics