On 3/18/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Note that accepting raw tokens is not terribly hard considering SPNEGO > > is largely a wrapper for the raw tokens. > > In our situation the Microsoft SSPI has decided that since there are > NTLM > credentials available due to an interactive logon to the same machine > that happens to run our application it's going to send the NTLM > credentials > instead of using the Kerberos credentials which are also available. > This > is due to special case code in the SSPI which prefers NTLM over > Kerberos > in this situation.
That problem doesn't really have anything to do with SPNEGO. The SSPI layer knows nothing about interactive logons. The problem is that some application has acquired and inserted an NTLM credential into the credential cache so naturally the InitializeSecurityContext function as called by IE is going to pick that. That may not be optimal but it really has nothing to do with SPNEGO. The behavior you want would require that IE specify that it wants the SPNEGO mechanism and not the NTLM mechanism (not sure if SSPI supports the specification of a mechanism like GSSAPI does - it may simply infer the mechanism from the credential). > Now if they actually implemented SPNEGO as > required by > the RFC we would be able to respond with accept_incomplete and request > that the Kerberos token be used. I wouldn't be super confident that that would actually work. Again, just because you see something in an RFC doesn't mean that it actually works like that in practice. Our product provides a logon routine that allows authenticating clients using a traditional username+password method. That handles all of the "client will not or cannot do kerberos" scenarios and not just the one NTLM case. Note that NTLM doesn't support delegation so if I remember your original post correctly, implementing NTLM with pass-through authentication would not help your particular scenario. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
