On Mar 18, 8:39 pm, "Michael B Allen" <[EMAIL PROTECTED]> wrote: > That problem doesn't really have anything to do with SPNEGO. The SSPI > layer knows nothing about interactive logons. The problem is that some > application has acquired and inserted an NTLM credential into the > credential cache so naturally the InitializeSecurityContext function > as called by IE is going to pick that. That may not be optimal but it > really has nothing to do with SPNEGO. The behavior you want would > require that IE specify that it wants the SPNEGO mechanism and not the > NTLM mechanism (not sure if SSPI supports the specification of a > mechanism like GSSAPI does - it may simply infer the mechanism from > the credential).
All I can tell you is Microsoft who recreated this problem in their lab and who looked at their code indicated that IE * is * asking for SPNEGO and special case code in the SSPI choose to return a NTLM token because of an interactive logon session. I don't have access to their source code so it hard for me to comment on whether that is in fact how their code works. I will note that the problem also occurs using Firefox when configured to use the Microsoft SSPI and I have looked at that code which does seem to explicitly request the Negotiate SSPI package. -- John [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
