[jcifs] Kerberos HTTP authentication

Michael B Allen mba2000 at ioplex.com
Tue Oct 3 16:52:48 GMT 2006

On Tue, 3 Oct 2006 12:24:26 -0400
"Eric Glass" <eric.glass at gmail.com> wrote:

> I don't think IE supports a "raw" Kerberos auth mechanism.  There were
> some various initiatives at kerberizing http prior to Microsoft's
> Negotiate/SPNEGO-based approach; this may have been on of those.
> One thing that's mildly interesting to note is that MS's "Negotiate"
> SSPI provider is non-conformant to SPNEGO in that it supports raw
> tokens from subproviders (i.e. not wrapped in SPNEGO).  As a client,
> you should be able to send raw kerberos tokens to IIS and get back an
> appropriate response.

Ehh, I wouldn't call this "non-conformant" since A) the Negotiate protocol
isn't really defined anyware AFAIK and B) the initial GSSAPI token is
always prefixed with the mech OID so the "raw" behavior is entirely
deterministic. Note there's also raw NTLMSSP too.


Michael B Allen
PHP Active Directory SSO

More information about the jcifs mailing list