On Sun, 2005-10-16 at 21:00 +0200, Henrik Nordstrom wrote:
> On Sun, 16 Oct 2005, Serassio Guido wrote:
>
> > Using Kerberos, only the blob provided from the client (should be the Service
> > Token) is needed, so the communication between Squid and the helper must be
> > only YR ==> AF.
>
> Very odd.. there is supposed to be a significantly longer exchange..
It varies. For NTLMSSP it's a bit longer, and for kerberos is is 'one
shot'.
> Are you running the browser locally on the same machine? In the past I
> have found Windows SPNEGO (even SPNEGO over HTTP) to behave very different
> on local connections than network connections to remote servers, and in
> such situations using neither NTLM or Kerberos GSSAPI but instead some
> very lightweigth "local user" authentication model using just a single
> client->server packet like you describe.
>
> In any event the Negotiate patch doesn't really care how many steps there
> is. Anywhere from 1 to N steps is fine, or as many as the negotiated
> authentication system requires to finish the handshake.
>
>
> Reading Microsoft documentation. It says there will be 1-N exchanges
> taking plase until the GSSAPI context is complete. It is possible the
> first message is sufficient in some cases, but not always.
Yep.
Andrew Bartlett
-- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:07 MST