On Mar 17, 9:12 pm, "Michael B Allen" <[EMAIL PROTECTED]> wrote: > The problem is that the client will not or cannot initiate Kerberos.
Nice try, however no. The client has no problems using Kerberos. There are credentials in the cache for user. There's no problem fetching credentials for the webserver. The problem has specifically been traced by Microsoft to a bit of code in the Negotiate SSPI which causes a raw NTLM to be returned instead of a SPNEGO in some situations even though Kerberos is available / working. The issue is whether RFC4559 allows a raw NTLM to be returned. My read of the RFC is SPNEGO is always required ... so let's say that there was something interfering with Kerberos and Windows dropped back to NTLM. What it should send is a SPNEGO encapsulating a NTLM. What it actually sent was a raw NTLM. Microsoft's take is that a raw NTLM is a completely compliant RFC4559 response. I'm looking for someone clarifying the issue or suggest how to resolve the issue. -- John [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
