SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

Michael B Allen ioplex at gmail.com
Tue Mar 18 15:15:01 EDT 2008


On 3/18/08, Todd Stecher <todd.stecher at gmail.com> wrote:
>  My reading of the RFC is that it is truly "informational," describing
>  how clients and servers use SPNEGO + HTTP, but not specifying every
>  possible HTTP auth scheme.  Chances are the answer you got about raw
>  NTLM being "OK" was passed through various layers of Microsoft from
>  Larry Zhu, the author of the RFC itself, and based on not on
>  "correctness" but rather on the behavior of millions of deployed
>  clients and servers.  Even if you could get MS to change the behavior
>  to your interpretation of the RFC, its not going to help much until
>  every machine out there is updated.

I would hope that they do NOT change the existing behavior. I consider
accepting "raw" NTLM and Kerberos tokens to be a feature. In fact,
SPNEGO is largely dead weight - I don't recall seeing it ever
"negotiate" much of anything. It's just one of those things that
sounded nice in theory but in practice it didn't really help anyone.
But MS clients send SPNEGO tokens so we need to accept them.

Note that accepting raw tokens is not terribly hard considering SPNEGO
is largely a wrapper for the raw tokens. It's an extra condition in
your code. Or just use a GSSAPI implementation that supports SPNEGO
and you're done.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/



More information about the Kerberos mailing list