Re: "Windows Authentication" Was: "Credentials Caching - Security Guy Not Happy" from users list

James Chaldecott wrote:

> What you're looking seems to be variously known as either NTLM or SSPI
> authentication (the former is the protocol the latter the win32 API).
> Various open-source codebases support it on the client side e.g.
> Mozilla[1] & libntlm[2].

Unfortunately, there's a catch. When talking about Apache's
mod_auth_sspi, it's good to know that it only works on Windows. It will,
for example, let you connect to Apache with IE without retyping the
username and password, but I don't know how the handshaking works,
either. Google pops up a few links, and at first glance the client and
server go through a kerberos-like token exchange, although I haven't a
clue how you implement that on Windows. It's certainly not trivial.

You can get a similar effect on Unix with mod_auth_pam and pam_smb
(there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
it doesn't understand the Windows-specific handshake -- in other words,
it just checks the basic auth tokens against an NT domain controller.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Sep 5 05:38:21 2004