Thunderbird:Supported authentication methods: Difference between revisions

Kerberos

Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here.

• IMAP/GSSAPI in thunderbird 1.5?
• IMAP/GSSAPI implemented?
• Request for HTTP/GSSAPI auth (implemented in 1.7)
• Request for LDAP/GSSAPI auth
• Request for SOCKS5/GSSAPI

IMAP

TB supports negotiation of authentication method via IMAP, though I'm not sure which methods it supports of MD5, crypt, GSSAPI etc.

SMTP

I guess this is similar to IMAP auth. negotiation.

POP3

I don't use this old protocol.

SASL

Thunderbird 1.5 beta has support for SASL/GSSAPI support. The client must first have a valid Kerberos ticket and the server must also support SASL/GSSAPI authentication in order to succeed. UW IMAP Server has support for SASL/GSSAPI.

NTLM and SPNEGO?

GSSAPI authentication, either with SPNEGO tokens or with GSSAPI Kerberos V5 tokens, is attemtped if the server responds to the initial page request with a message that requests authentication and includes the "Auth: Negotiate" HTTP Header line. The client must have access to a valid Kerberos ticket or it won't even attempt to send the exchange. On Windows, NTLM auth may be attempted in the absence of valid Kerberos credentials.

See some details here:

- IETF Internet draft (expired) describing HTTP Auth Negotiation - the IETF KITTEN WG is currently finalizing a new official specification for the SPNEGO exchange, soon to become RFC 4178.

- GSSAPI negotiation support added to Mozilla

- SASL/GSSAPI support added to Thunderbird

- Configure GSSAPI auth for Mozilla and Apache (on Solaris) - also describes IIS and IE configuration.

General

• Try the last successful authentication method first.
• https://bugzilla.mozilla.org/show_bug.cgi?id=237586

GSSAPI implementations

• MIT
• Sun
• Heimdal
• GNU