SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion
john@feith.com
john at feith.com
Tue Mar 18 03:37:14 EDT 2008
On Mar 18, 12:59 am, "Michael B Allen" <iop... at gmail.com> wrote:
> If the HTTP server returns "WWW-Authenticate: NTLM" then the client
> must use NTLMSSP tokens. If it returns "WWW-Authenticate: Negotiate"
> then the tokens must be SPNEGO. If it returns both, then the client
> can pick.
Yep ... that's pretty much how I understand things. In our case we
are
only returning "WWW-Authenticate: Negotiate".
> Otherwise, you need to explain the point of failure in more detail.
The IE client is responding to "WWW-Authenticate: Negotiate" with
a raw NTLM instead of SPNEGO.
> If you're not sure then provide an HTTP client / server call sequence
We're sure ... it's all been check / doubled checked using pack
sniffers,
etc. Microsoft has also confirmed it and looked at their code. They
say that it's intentional to return a raw NTLM instead of SPNEGO
regardless of the availability of Kerberos in some situations when
responding to "WWW-Authenticate: Negotiate".
> the point of failure.
The real problem is that Microsoft admits that this is intentionally
and claims that it is RFC4559 compliant. I'm having great difficulty
in getting them to understand that RFC4559 * requires * that SPNEGO
be used. I'm open to suggestions.
-- John
john at feith.com
More information about the Kerberos
mailing list