hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beau Cronin <bcro...@MIT.EDU>
Subject Re: NTLM type 2 header issue
Date Mon, 31 Jan 2005 02:01:09 GMT
> On 31/01/2005, at 5:02 AM, Beau Cronin wrote:
>> As far as I can tell, all NTLM messages should have "NTLM" as the
>> header.  Is anyone familiar with the source of this behavior?  Is this
>> within the NTLM "spec", or is there something weird going on here?
> As far as I know you're right.  NTLM servers generally respond with:
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
> (often there's a Kerberos in the middle)
> What is the server you're having trouble with?

The server is just an internal IIS server we're using for testing for 
this issue.  I'm not sure exactly how it's configured, 
unfortunately--but as far as I know, it's a vanilla configuration.

I'm a little surprised by this "Negotiate" header, since the NTLM 
reverse-engineering documents I've seen don't mention it.  Is there 
somewhere I can look which discusses it?

> I would tend to think that it's reasonable to continue down the NTLM 
> authentication path once we've started if we get a Negotiate header 
> with no following NTLM header.  I'd like to know more about what 
> Negotiate means though as I suspect it is an authentication scheme in 
> itself or at least a scheme for negotiating the scheme to use.  I 
> don't recall seeing the Negotiate scheme in any standards or 
> documentation I've read though.

I interpret this to mean you think this is a legitimate NTLM response 
then?  In that case, I suppose this requires a modification to the 
http-client NTLMScheme code to appropriately handle it.  Is that a 
reasonable supposition?  If so, maybe I can take a look at what's 
involved.  I'm rather new to this area, though, so I wanted to check 
with the experts here before making any assumptions about where any 
changes need to be made.

Any further input greatly appreciated,

Beau Cronin

To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org

View raw message