I *think* the problem is that Microsoft is returning a "200 OK" message but it has additional authentication header fields attached to it. If they were using the 401 code, that would be OK, but they are using 200 and adding the final mutual-auth GSSAPI tokens to it, which, I believe, is a violation. At least that is what the Mozilla
guys told me a while ago when I was working on it.
-Wyllys Fred Dushin wrote:
Could you elaborate on how this would break the HTTP spec? I was under the (admittedly naive) impression that more or less any challenge-response authentication mechanism could be implemented in HTTP via the HTTP 401 error code. So presumably I would think that GSS context tokens could be exchanged through this mechanism. (E.g., client sends a request with an initial context token, server returns an HTTP 401 with a continuation token, client resends request with context completion token, and perhaps subsequent requests contain some context identifier) This approach may not be standard, but a standard authentication mechanism could theoretically be proposed. I don't see how it breaks HTTP, but I'm not an HTTP expert. Thanks, Fred On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote: > Mutual authentication is not supported correctly because it is not > possible to do so without violating the HTTP spec.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
