Steve, > > [...] That is, removing the flags seems to have done the trick. > > Whilst I have some experience in this area I'm not a security expert - I'm > still learning in some respects ;-) > > What I did find from my own testing of the Kerberos 5 support I recently > added for the email protocols was that these flags served no purpose, if > you're not encrptying the data, so if you look at the new code in > curl_sasl_sspi.c I simply pass zero - unless the mutual authentication flag > is set in which case I pass in ISC_REQ_MUTUAL_AUTH (which we don't use in > the NTLM code). > > > I have no explanation why the flags seem to have had such a negative > > effect for some of the users. > > > > However, after googling again for some time I found this url > > > > and this url > > Interesting finds. > > > My conclusion is that it seems to be better to remove the flags. > > I'm all for removing them if it means we work out of the box with more > proxy servers. > > Do you think it is worth passing a flag into those functions and > setting the ISC_REQ_ flags if that flag is set - for the email > protocols for example or not?
For the calls in curl_ntlm_msgs.c I probably wouldn't do that. However, I'm no Windows SSPI expert. > However, I have just tested this against and Exchange 2013 server with > both single sign on and a specific user account (both with and without > the domain) and all three tests succeeded with the ISQ_REQ_ flags as > zero. > > Are you up to providing a patch - I can do it but it is your find so I > would rather you are credited for the work ;-) I just submitted a patch to the curl-library list. :-) Thanks again for bearing with me throughout the process to analyze and to finally fix the problem! Regards, Ulrich -- E-Mail privat: [email protected] World Wide Web: http://www.telle-online.de ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
