On Sun, 2005-10-16 at 21:00 +0200, Henrik Nordstrom wrote: > On Sun, 16 Oct 2005, Serassio Guido wrote: > > > Using Kerberos, only the blob provided from the client (should be the > > Service > > Token) is needed, so the communication between Squid and the helper must be > > only YR ==> AF. > > Very odd.. there is supposed to be a significantly longer exchange..
It varies. For NTLMSSP it's a bit longer, and for kerberos is is 'one shot'. > Are you running the browser locally on the same machine? In the past I > have found Windows SPNEGO (even SPNEGO over HTTP) to behave very different > on local connections than network connections to remote servers, and in > such situations using neither NTLM or Kerberos GSSAPI but instead some > very lightweigth "local user" authentication model using just a single > client->server packet like you describe. > > In any event the Negotiate patch doesn't really care how many steps there > is. Anywhere from 1 to N steps is fine, or as many as the negotiated > authentication system requires to finish the handshake. > > > Reading Microsoft documentation. It says there will be 1-N exchanges > taking plase until the GSSAPI context is complete. It is possible the > first message is sufficient in some cases, but not always. Yep. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
