SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

Michael B Allen ioplex at gmail.com
Tue Mar 18 11:14:13 EDT 2008 

On 3/18/08, john at feith.com <john at feith.com> wrote:
> On Mar 18, 12:59 am, "Michael B Allen" <iop... at gmail.com> wrote:
>  > If the HTTP server returns "WWW-Authenticate: NTLM" then the client
>  > must use NTLMSSP tokens. If it returns "WWW-Authenticate: Negotiate"
>  > then the tokens must be SPNEGO. If it returns both, then the client
>  > can pick.
>
>
> Yep ... that's pretty much how I understand things.  In our case we
>  are
>  only returning "WWW-Authenticate: Negotiate".
>
>
>  > Otherwise, you need to explain the point of failure in more detail.
>
>
> The IE client is responding to "WWW-Authenticate: Negotiate" with
>  a raw NTLM instead of SPNEGO.

Well I just looked at some of my captures and I can see that raw
NTLMSSP tokens can be sent in response to "WWW-Authenticate:
Negotiate". And I now recall that raw Kerberos tokens can be used as
well.

>  > If you're not sure then provide an HTTP client / server call sequence
>
>
> We're sure ... it's all been check / doubled checked using pack
>  sniffers,

Well I'm glad you're sure but I'm not clear on what the point of
failure is so if you want my input you'll have to explain the exact
exchange. If you're seeing an XP client send a raw NTLM token in
response to sending it "WWW-Authenticate: Negotiate" then I refer you
to my original response.

>  etc.  Microsoft has also confirmed it and looked at their code.  They
>  say that it's intentional to return a raw NTLM instead of SPNEGO
>  regardless of the availability of Kerberos in some situations when
>  responding to "WWW-Authenticate: Negotiate".
>
>  > the point of failure.
>
>  The real problem is that Microsoft admits that this is intentionally
>  and claims that it is RFC4559 compliant.  I'm having great difficulty
>  in getting them to understand that RFC4559 * requires * that SPNEGO
>  be used.  I'm open to suggestions.

>From glancing at RFC 4559 it indeed does not seem to include any
mention that raw NTLM and Kerberos tokens are accepted. But I learned
a long time ago that RFCs are not the law. What you see on the wire is
the law.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the Kerberos mailing list