On Mar 18, 12:59 am, "Michael B Allen" <[EMAIL PROTECTED]> wrote: > If the HTTP server returns "WWW-Authenticate: NTLM" then the client > must use NTLMSSP tokens. If it returns "WWW-Authenticate: Negotiate" > then the tokens must be SPNEGO. If it returns both, then the client > can pick.
Yep ... that's pretty much how I understand things. In our case we are only returning "WWW-Authenticate: Negotiate". > Otherwise, you need to explain the point of failure in more detail. The IE client is responding to "WWW-Authenticate: Negotiate" with a raw NTLM instead of SPNEGO. > If you're not sure then provide an HTTP client / server call sequence We're sure ... it's all been check / doubled checked using pack sniffers, etc. Microsoft has also confirmed it and looked at their code. They say that it's intentional to return a raw NTLM instead of SPNEGO regardless of the availability of Kerberos in some situations when responding to "WWW-Authenticate: Negotiate". > the point of failure. The real problem is that Microsoft admits that this is intentionally and claims that it is RFC4559 compliant. I'm having great difficulty in getting them to understand that RFC4559 * requires * that SPNEGO be used. I'm open to suggestions. -- John [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
