spnego

[Tuomas]

Simo Sorce wrote:
> On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:
> 
>> I have been struggling with the same problem (with apache & 
>> mod_auth_kerb). For me it seems that there really isn't a foolproof
>> way 
>> to completely avoid getting NTLMSSP blobs from clients.
>>
>> I wonder is there a way to perform the login using NTLMSSP data?
> 
> You can try with mod-auth-ntlm-winbind:
> http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet
> 

Thanks for the info, I will try it as soon as I can get another test 
server to use since it's not possible to use both mod_auth_kerb and 
mod_auth_ntlm_winbind on the same server.

I also found out using wireshark what Internet Explorer does when it 
fails to authenticate using Kerberos. It asks a ticket from the Active 
Directory server for HTTP/virtualhost.domain.com instead of 
HTTP/realname.domain.com. For me this seems like a bug in IE7, has 
anyone found solutions for this?

Cheers,
Tuomas