[24028] in Kerberos
RE: kerberos authentication for apache on windows
daemon@ATHENA.MIT.EDU (Frank Balluffi)
Mon Jun 6 09:17:17 2005
In-Reply-To: <20050606091227.sb8cnjqejxa8c0w4@webmail.aql.fr>
To: "Julien ALLANOS <julien.allanos" <julien.allanos@aql.fr>
MIME-Version: 1.0
From: "Frank Balluffi" <frank.balluffi@db.com>
Message-ID: <OFBEB9F262.8AB99ECF-ON85257018.00474817-85257018.004952CF@db.com>
Date: Mon, 6 Jun 2005 09:16:25 -0400
Content-Type: text/plain; charset="US-ASCII"
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Julien ALLANOS said:
> I am now facing to the following problem: browsers don't send NTLM
tokens
> anymore but SPNEGO tokens (I believe). I don't really know what I did to
make
> it work, but heh, it works. That's good.
For both NTLM and SPNEGO tokens, IE should send:
Authorization: Negotiate
followed by a base64-encoded token. To determine the type of token,
capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
(most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
which identifies the SPNEGO GSSAPI mechanism.
Frank
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
