Hi Kim,
As SPNEGO and HTTP/2 do not go together I suggest to use a federated model.
So you set up an IDP instance which runs the SPNEGO on http/1.1 and a relying party (or SP if you use SAML2) that runs on HTTP/2. The latter consumes the idp token and creates the SSO sessions toward your junctions.
In a nutshell: the unauthenticated user arrives at the http/2 endpoint and because of not having a valid session the browser is redirected to the spnego endpoint. Which does the desktop sso for you, issues a token and redirects back. The HTTP/2 endpoint will now be able to create an authenticated session.
I hope this helps (I am sure Serge will agree on this approach)
------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------
Original Message:
Sent: Mon July 04, 2022 04:26 AM
From: Kim Petersen
Subject: Alternative to Kerberos
Hi
Currently, we are using Kerberos for single sign on for various applications behind junctions. It is working fine however it is http1 and Kerberos does not support http2. Performance on applications could be optimized significantly with http2.
What could be done to handle both sso and http2 - any suggestions?
BR
Kim
------------------------------
Kim Petersen
Specialist
ATP
------------------------------