Thunderbird:Supported authentication methods
Kerberos
Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here.
IMAP
TB supports negotiation of authentication method via IMAP, though I'm not sure which methods it supports of MD5, crypt, GSSAPI etc.
SMTP
I guess this is similar to IMAP auth. negotiation.
POP3
- RFC 1939 - POP3 protocol description
- RFC 1734 - POP3 Authentication description
SASL
- RFC 2222 - SASL Specification, section 7.2 describes SASL-GSSAPI
- RFC 4752 - updated SASL GSSAPI spec - describes use of SASL with GSSAPI/KRB5 and GSSAPI/SPNEGO mechanisms.
Thunderbird 1.5 beta has support for SASL/GSSAPI support. The client must first have a valid Kerberos ticket and the server must also support SASL/GSSAPI authentication in order to succeed. UW IMAP Server has support for SASL/GSSAPI, as does the Dovecot system.
NTLM and SPNEGO
GSSAPI authentication, either with SPNEGO tokens or with GSSAPI Kerberos V5 tokens, is attemtped if the server responds to the initial page request with a message that requests authentication and includes the "Auth: Negotiate" HTTP Header line. The client must have access to a valid Kerberos ticket or it won't even attempt to send the exchange. On Windows, NTLM auth may be attempted in the absence of valid Kerberos credentials.
See some details here:
- RFC 2478 - Original SPNEGO specification (broken and outdated as of Fall 2005)
- RFC 4178 - (coming soon) official SPNEGO specification.
- Configure GSSAPI auth for Mozilla and Apache (on Solaris) - also describes IIS and IE configuration.
General
GSSAPI implementations
- RFC 2743 - GSSAPI V2
- RFC 2744 - GSSAPI V2 C-Bindings
- MIT
- Sun
- Heimdal
- GNU