Michael B Allen ioplex at
Fri Jul 18 11:58:31 EDT 2008

On Fri, Jul 18, 2008 at 7:13 AM, Michael Ströder <michael at> wrote:
> Michael B Allen wrote:
>> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <rra at> wrote:
>>>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are
>>>> going to perform better.
>>> If by "better" you mean "pretty much the same," yes, modulo the
>>> configuration note that I mentioned.
>> No, I definitely meant "better".
>> With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
>> token and get a TGT.
> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
> it's just a service ticket.

Yes, the relevant SPNEGO token is basically a wrapped AP-REQ wihch is
composed of a service ticket and an authenticator. I believe the TGT
or what is used to build a TGT is in the authenticator (at least
that's what WireShark calls it). Incidentally the encrypted part of
the service ticket contains the authorization data (the PAC if it was
issued by AD) which I assume is combined with the TGT data in the
authenticator to build a TGT with authorization data. Otherwise it
would have to dupe that data and the size of blobs in the SPNEGO token
doesn't represent that.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list