Hi Brian, On Fri, 9 Dec 2016, brian m. carlson wrote:
> On Thu, Dec 08, 2016 at 04:12:32PM -0500, David Turner wrote: > > I know of no reason that shouldn't work. Indeed, it's what we use do > > internally. So far, nobody has reported problems. That said, we have > > exactly three sets of git servers that most users talk to (two > > different internal; and occasionally github.com for external stuff). > > So our coverage is not very broad. > > > > If you're going to do it, tho, don't just do it for Windows users -- > > do it for everyone. Plenty of Unix clients connect to Windows-based > > auth systems. > > Let me echo this. This would make Kerberos (and probably other forms of > SPNEGO) work out of the box, which would reduce a lot of confusion that > people have. > > I can confirm enabling http.emptyAuth works properly with Kerberos, > including with fallback to Basic, so I see no reason why we shouldn't do > it. One of my colleagues offered a legitimate concern: it potentially adds another round-trip. Do you happen to know whether regular HTTPS negotiation will have an extra round-trip if Kerberos is attempted, but we have to fall back to interactively prompt for (or use stored) credentials? Ciao, Johannes
