My understanding is that NTLM is used as a fall-back in the event the Kerberos TGT has expired or is otherwise not available. There are other methods to use as a fall-back, some that the Kerberos protocol supports and others that are seperate authentication mechanisms.
Axton The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. On Mon, May 9, 2011 at 4:23 AM, John Baker <[email protected]>wrote: > Jason, > > Unfortunately, it's not quite as simple as that. Kerberos /should/ work > for everybody on a Windows network, but in practise you require > Kerberos+NTLMv2. > > What Axton is suggesting is challenging because there are multiple > interactions between browser and acceptor (ie whatever is running on > Midtier) when performing Integrated Windows Authentication, and you only > get one attempt at authenticating through the AREA plugin. > > And that's only the starting point: SSO for AR System becomes > challenging and difficult to support if all you have are a few open > source tools thrown together. > > I have no idea why AtriumSSO was based on OpenSSO: there are other open > source tools BMC could have selected as a starting point, and it's > puzzling to discover they selected an open source tool that is too large > for them to support, and was killed off by Oracle. > > > John > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
