SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

Michael B Allen ioplex at gmail.com
Tue Mar 18 20:39:41 EDT 2008 

On 3/18/08, john at feith.com <john at feith.com> wrote:
>  > Note that accepting raw tokens is not terribly hard considering SPNEGO
>  > is largely a wrapper for the raw tokens.
>
>   In our situation the Microsoft SSPI has decided that since there are
>  NTLM
>  credentials available due to an interactive logon to the same machine
>  that happens to run our application it's going to send the NTLM
>  credentials
>  instead of using the Kerberos credentials which are also available.
>  This
>  is due to special case code in the SSPI which prefers NTLM over
>  Kerberos
>  in this situation.

That problem doesn't really have anything to do with SPNEGO. The SSPI
layer knows nothing about interactive logons. The problem is that some
application has acquired and inserted an NTLM credential into the
credential cache so naturally the InitializeSecurityContext function
as called by IE is going to pick that. That may not be optimal but it
really has nothing to do with SPNEGO. The behavior you want would
require that IE specify that it wants the SPNEGO mechanism and not the
NTLM mechanism (not sure if SSPI supports the specification of a
mechanism like GSSAPI does - it may simply infer the mechanism from
the credential).

>  Now if they actually implemented SPNEGO as
>  required by
>  the RFC we would be able to respond with accept_incomplete and request
>  that the Kerberos token be used.

I wouldn't be super confident that that would actually work. Again,
just because you see something in an RFC doesn't mean that it actually
works like that in practice.

Our product provides a logon routine that allows authenticating
clients using a traditional username+password method. That handles all
of the "client will not or cannot do kerberos" scenarios and not just
the one NTLM case.

Note that NTLM doesn't support delegation so if I remember your
original post correctly, implementing NTLM with pass-through
authentication would not help your particular scenario.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the Kerberos mailing list