kerberos authentication for apache on windows

Frank Balluffi frank.balluffi at db.com
Mon Jun 6 09:16:25 EDT 2005


Julien ALLANOS said:

> I am now facing to the following problem: browsers don't send NTLM 
tokens
> anymore but SPNEGO tokens (I believe). I don't really know what I did to 
make
> it work, but heh, it works. That's good.

For both NTLM and SPNEGO tokens, IE should send:

Authorization: Negotiate

followed by a base64-encoded token. To determine the type of token, 
capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C 
4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with 
hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long 
(most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2, 
which identifies the SPNEGO GSSAPI mechanism.

Frank


More information about the Kerberos mailing list