Extended Security negotiation on NT4

eglass1 at comcast.net eglass1 at comcast.net
Thu Jun 10 09:44:32 GMT 2004

> Which *seems* to indicate that this is intended for backward 
> compatibility of some sort.  This would also seem to imply, however, 
> that you could possibly supply a raw (non-SPNEGO-wrapped) Kerberos
> token as well, and I don't think that works.

This *does* work, actually; you can create a Kerberos SSPI context on the
initiator side, and a Negotiate context on the acceptor side, and the
Negotiate provider will accept the raw Kerberos tokens without SPNEGO
encapsulation.  It would be interesting to try this in an extended security
handshake (i.e., have the client send raw Kerberos tokens in the security
blob), as well as in HTTP auth.


More information about the samba-technical mailing list