Re: NTLM authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 12 Jul 2000 01:10:00 +0200

Robert Collins wrote:

> I modified the code to only present the NTLM line, and voila, it works
> as per the various notes around on sourceforge, and this list.

Ok. The probably have to be reordered the other way around.

> I'm planning on doing some work on this in the near future. I suggest
> that the process should be
>
> check the Agent header, if it contains MSIE (ideally if it matchs a
> particular acl type - say NTLM_agents) present NTLM only, otherwise
> present all known auth lines.
> If the browser won't accept NTLM, fall back to presenting all known auth
> lines.

Shouldn't be needed. It isn't needed for WWW-Authenticate. IIS sends
both if both are enabled.

> Also does anyone have suggestions as to preventing the logging of the
> two DENIED entries while the NTLM handshake goes on?

Well.. technically there are two denied requests. It might however be
possible to add the feature to skip logging for the interim handshake
request (request #2). However I give this feature a almost non-existing
priority as great care must be taken to do it properly without opening a
window where the user (with a custom client) might perform other actions
which should have been logged, and it is not all obvious how it should
be determined that it is safe to skip the log entry.

/Henrik
Received on Tue Jul 11 2000 - 18:22:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:32 MST