SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion
John Wehle
john at feith.com
Tue Mar 18 17:36:05 EDT 2008
On Mar 18, 2008 at 2:15 PM, Todd Stecher wrote:
> I'm guessing that your workflow / product / code requires Kerberos
Yes.
> and you're trying to figure out how to get SPNEGO wrapped kerberos
> tokens all of the time?
That would be nice, though as you mention there are many things that
get in the way.
> Chances are the answer you got about raw NTLM being "OK" was passed
> through various layers of Microsoft from Larry Zhu, the author of
> the RFC itself, and based on not on "correctness" but rather on
> the behavior of millions of deployed clients and servers.
I'd be impressed if they actually checked with Larry Zhu. I do suspect
that the answer is, as you said, based on how their product has always
functioned rather than "correctness".
> Even if you could get MS to change the behavior to your interpretation
> of the RFC, its not going to help much until every machine out there
> is updated.
I don't need every machine ... just my customers' machines. Our release
notes can indicate what versions / hotfixes are required for proper
operation. My approach might be different if I was designing a SSO
toolkit to be included in other people's products.
-- John
-------------------------------------------------------------------------
| Feith Systems | Voice: 1-215-646-8000 | Email: john at feith.com |
| John Wehle | Fax: 1-215-540-5495 | |
-------------------------------------------------------------------------
More information about the Kerberos
mailing list