The GSSAPI Properties dialog can be accessed by clicking on the Properties button in the Authentication group of the Connection/SSH2 category of the Session Options dialog when GSSAPI is the specified authentication method.
GSSAPI (Generic Security Services Application Program Interface) is a generic API for performing client /server authentication. GSSAPI allows SecureFX to authenticate with a server without knowing anything about the specific authentication mechanism in use.
Method
SecureFX supports the following types of GSSAPI provider:
MS Kerberos - In order to use this provider, SecureFX must be running on Windows 2000 or newer. The Windows 2000 computer must have been configured as part of an Active Directory domain or been configured to participate in a Kerberos realm.
GSSAPI - In order to use this provider, you must have a GSSAPI library provided either natively by the operating system or by a third party Kerberos provider of your choice (for example, the MIT Kerberos distribution). When this option is chosen on Windows, 64-bit versions of SecureFX will attempt to load a file named gssapi64.dll and 32-bit versions of SecureFX will attempt to load a file named gssapi32.dll. When on macOS and Linux platforms, SecureFX will attempt to load a libgssapi.so library which must already be present on the system and available for loading by applications in general. Kerberos and GSSAPI must already be configured correctly and working within your environment outside of SecureFX in order for SecureFX to be successful with GSSAPI authentication.
Auto Detect - This setting instructs SecureFX to attempt to automatically determines which of the above two methods will work with the server that you are connecting to. This is the recommended setting.
Delegation
When SecureFX authenticates with GSSAPI, it can control whether or not the server is allowed to access other secured resources (such as network file servers) without further prompting for credentials. SecureFX supports the following delegation settings:
Full - If this delegation is selected and the GSSAPI mechanism both supports delegation and is configured to allow delegation, the server may be able to access other secured resources without prompting for credentials.
None - If this delegation is selected, the server may have to prompt for further authentication in order to access secured resources such as network files, printers, or to log on to a different server.
Limited - This delegation is the same as Full delegation for the MS Kerberos method. If this GSSAPI method is selected for use, the meaning of "Limited" is determined by the GSSAPI library provider available on your system.
Advanced >>
Pressing this button expands (or contracts) the GSSAPI Properties dialog to display (or hide) the following options.
SPN (Service Principal Name) group
When authenticating with GSSAPI, SecureFX must determine the canonical name of a server. The server has exactly one canonical name, which no other server can share. The server may have other names, for example, the server 192.168.20.1 may be known as mail.mydomain.com, mydomain.com and mail, but it has only one canonical name, mail.mydomain.com.
SecureFX uses this canonical name to form a Service Principal Name (SPN) which the GSSAPI provider uses to identify the server with which it should authenticate.
SecureFX usually uses the host variable (HOST) to determine the server SPN. This however, depends on hostname lookups working correctly. If this does not work correctly, this behavior can be overridden by manually specifying the SPN.
Manually specify the SPN (default is host@$(HOST))
Checking this box will enable the SPN text box below and allow you to manually specify the SPN.
SPN
Enter the SPN string. The string is almost always of the form host@<server canonical name>. An example of a valid string is "host@mail.mydomain.com". SecureFX will make the following variable substitutions in the specified SPN name:
$(HOST) - the hostname as specified in the Session Options/Connection/SSH2 category.
$(PORT) - the port as specified in the Session Options/Connection/SSH2 category
If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., host@mail.mydomain.com@KRBS.MYDOMAIN.COM).