SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion
john@feith.com
john at feith.com
Mon Mar 17 23:43:24 EDT 2008
On Mar 17, 9:12 pm, "Michael B Allen" <iop... at gmail.com> wrote:
> The problem is that the client will not or cannot initiate Kerberos.
Nice try, however no. The client has no problems using Kerberos.
There are credentials in the cache for user. There's no problem
fetching credentials for the webserver. The problem has specifically
been traced by Microsoft to a bit of code in the Negotiate SSPI
which causes a raw NTLM to be returned instead of a SPNEGO
in some situations even though Kerberos is available / working.
The issue is whether RFC4559 allows a raw NTLM to be returned.
My read of the RFC is SPNEGO is always required ... so let's
say that there was something interfering with Kerberos and
Windows dropped back to NTLM. What it should send is a
SPNEGO encapsulating a NTLM. What it actually sent was
a raw NTLM.
Microsoft's take is that a raw NTLM is a completely compliant
RFC4559 response.
I'm looking for someone clarifying the issue or suggest how
to resolve the issue.
-- John
john at feith.com
More information about the Kerberos
mailing list