On Sun, 16 Oct 2005, Serassio Guido wrote:
> Using Kerberos, only the blob provided from the client (should be the Service
> Token) is needed, so the communication between Squid and the helper must be
> only YR ==> AF.
Very odd.. there is supposed to be a significantly longer exchange..
Are you running the browser locally on the same machine? In the past I
have found Windows SPNEGO (even SPNEGO over HTTP) to behave very different
on local connections than network connections to remote servers, and in
such situations using neither NTLM or Kerberos GSSAPI but instead some
very lightweigth "local user" authentication model using just a single
client->server packet like you describe.
In any event the Negotiate patch doesn't really care how many steps there
is. Anywhere from 1 to N steps is fine, or as many as the negotiated
authentication system requires to finish the handshake.
Reading Microsoft documentation. It says there will be 1-N exchanges
taking plase until the GSSAPI context is complete. It is possible the
first message is sufficient in some cases, but not always.
Regards
Henrik
Received on Sun Oct 16 2005 - 13:00:37 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:07 MST