ntlm_auth --helper-protocol=gss-spnego

Henrik Nordstrom hno at squid-cache.org
Mon Apr 26 15:37:21 GMT 2004

On Mon, 26 Apr 2004, Andrew Bartlett wrote:

> The order is changed - SPENGO is a server-speaks-first protocol, so the
> first YR gets things moving.

Confused.. according to the MS docs I can find Negotiate over HTTP is a 
client-speaks-first protocol just like NTLM over HTTP..

[skipping the dummy step establishing that the Negotiate mechanism is at 
all available]

# Client calls InitializeSecurityContext() and generates a NegTokenInit, 
does a base64 encoding of it, and resends the Get with the following 
header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: 
Negotiate YIIGUQY<remainder of base64 encoded string>).

* Server decodes the NegTokenInit, extracts the supported MechTypes (the
one at the front of the MechTypeList should be either Kerberos Legacy or
Kerberos V5), ensures it is one of the expected ones, and then extracts
the MechToken and authenticates using gss_accept_security_context.

* If gss_accept_security_context returns GSS_S_CONTINUE_NEEDED, the Web 
server should return HTTP 401 (Unauthorized) status, and the response 
token as "WWW-Authenticate: Negotiate <base64 encoding>" (e.g. 
WWW-Authenticate: Negotiate oYIBLj<remainder of base64 encoded string>).

How does this map to ntlm_auth gss-spnego if ntlm_auth is 

Still a little confused on how GSS-SPNEGO, Negotiate SSP, Kerberos SSP and
NTLM SSP goes together, but most I could find indicates GSS-SPNEGO is the
protocol implemented by the Negotiate SSP, running ontop of the NTLM
and Kerberos SSP, but then at the same time most of the same documents
seem to be very Kerberos specific..


More information about the samba-technical mailing list