On Thu, Jun 20, 2013 at 5:44 PM, Mark Phippard <markphip_at_gmail.com> wrote:
> On Thu, Jun 20, 2013 at 9:40 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>> On Thu, Jun 20, 2013 at 5:30 PM, Bert Huijben <bert_at_qqmail.nl> wrote:
>> [...]
>>
>>> The patch to serf 1.2.1 attached to this mail is a (tiny bit cleaned up)
>>> hack based on the old code in ra_serf, some code from an old serf branch and
>>> the new in serf auth_kerb code, which re-enables the NTLM authentication
>>> scheme in serf.
>>>
>>>
>> I'm -1 for such patch:
>> * It duplicates auth_kerb.c which intended to have the same auth code
>> on different platforms with plugable platforms specific code
>>
>> * serf should not try use NTLM authentication if server supports Negotiate.
>
> So you are saying you do not think Serf should support mod_auth_sspi
> and do not consider this a regression? Could you explain that
> position with more detail?
Mark,
You didn't understand me. There are two HTTP authentication schemes
for automatic authentication:
* NTLM
Uses Windows NTLM authentication
* Negotiate (SPNEGO)
Uses NTLM or Kerberos depending of what is supported by server and client.
NTLM is not documented AFAIK, while Negotiate (SPNEGO) is documented
by RFC 4559 [1]
Serf supports only Negotiate authentication schemes. Which
automatically provides you NTLM or Kerberos.
mod_auth_sspi can be configured to use Negotiate protocol using
"SSPIPackage Negotiate" server side directive. Bert reported that with
"SSPIPackage Negotiate" is working fine, but neon doesn't.
My position is that serf should use only Negotiate authentication
scheme if server supports both NTLM and Negotiate authentication
schemes.
[1] http://tools.ietf.org/html/rfc4559
--
Ivan Zhakov
Received on 2013-06-20 15:53:39 CEST