On Feb 10, 2010, at 2:57 AM, Max (Weijun) Wang wrote: > Now, it looks like that the customer's web server does not accept SPNEGO > NegTokenInit, but only Kerberos AP-REQ. Is this true for the mod_auth_kerb > module?
As noted, this is not the right list. The usual issue "with mod_auth_kerb" is that IE isn't configured to do Kerberos to the specific (non-Windows) web server, and falls back to the NTLM SPNEGO sub-mechanism. Support (or lack of it) for HTTP-Negotiate/SPNEGO/NTLM is actually a property of the GSSAPI library which mod_auth_kerb is linked against. mod_auth_kerb includes a SPNEGO/Krb5 implementation which is used if the GSSAPI library does not support SPNEGO at all. It does not include SPNEGO/NTLM (though there might be one in CVS head). The recommended solution for this problem (if this is your problem) is to configure IE so the web server is in the "Intranet", not the "Internet", as labeled in the lower right of it's window. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
