On 3/18/08, Todd Stecher <[EMAIL PROTECTED]> wrote: > My reading of the RFC is that it is truly "informational," describing > how clients and servers use SPNEGO + HTTP, but not specifying every > possible HTTP auth scheme. Chances are the answer you got about raw > NTLM being "OK" was passed through various layers of Microsoft from > Larry Zhu, the author of the RFC itself, and based on not on > "correctness" but rather on the behavior of millions of deployed > clients and servers. Even if you could get MS to change the behavior > to your interpretation of the RFC, its not going to help much until > every machine out there is updated.
I would hope that they do NOT change the existing behavior. I consider accepting "raw" NTLM and Kerberos tokens to be a feature. In fact, SPNEGO is largely dead weight - I don't recall seeing it ever "negotiate" much of anything. It's just one of those things that sounded nice in theory but in practice it didn't really help anyone. But MS clients send SPNEGO tokens so we need to accept them. Note that accepting raw tokens is not terribly hard considering SPNEGO is largely a wrapper for the raw tokens. It's an extra condition in your code. Or just use a GSSAPI implementation that supports SPNEGO and you're done. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
