SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion
john@feith.com
john at feith.com
Wed Mar 19 01:00:51 EDT 2008
On Mar 18, 8:39 pm, "Michael B Allen" <iop... at gmail.com> wrote:
> That problem doesn't really have anything to do with SPNEGO. The SSPI
> layer knows nothing about interactive logons. The problem is that some
> application has acquired and inserted an NTLM credential into the
> credential cache so naturally the InitializeSecurityContext function
> as called by IE is going to pick that. That may not be optimal but it
> really has nothing to do with SPNEGO. The behavior you want would
> require that IE specify that it wants the SPNEGO mechanism and not the
> NTLM mechanism (not sure if SSPI supports the specification of a
> mechanism like GSSAPI does - it may simply infer the mechanism from
> the credential).
All I can tell you is Microsoft who recreated this problem in their
lab and who looked at their code indicated that IE * is * asking for
SPNEGO and special case code in the SSPI choose to return
a NTLM token because of an interactive logon session. I don't
have access to their source code so it hard for me to comment
on whether that is in fact how their code works.
I will note that the problem also occurs using Firefox when configured
to use the Microsoft SSPI and I have looked at that code which does
seem to explicitly request the Negotiate SSPI package.
-- John
john at feith.com
More information about the Kerberos
mailing list