On Thu, Jun 20, 2013 at 9:52 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
> On Thu, Jun 20, 2013 at 5:44 PM, Mark Phippard <markphip_at_gmail.com> wrote:
>> On Thu, Jun 20, 2013 at 9:40 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>>> On Thu, Jun 20, 2013 at 5:30 PM, Bert Huijben <bert_at_qqmail.nl> wrote:
>>>> The patch to serf 1.2.1 attached to this mail is a (tiny bit cleaned up)
>>>> hack based on the old code in ra_serf, some code from an old serf branch and
>>>> the new in serf auth_kerb code, which re-enables the NTLM authentication
>>>> scheme in serf.
>>> I'm -1 for such patch:
>>> * It duplicates auth_kerb.c which intended to have the same auth code
>>> on different platforms with plugable platforms specific code
>>> * serf should not try use NTLM authentication if server supports Negotiate.
>> So you are saying you do not think Serf should support mod_auth_sspi
>> and do not consider this a regression? Could you explain that
>> position with more detail?
> You didn't understand me. There are two HTTP authentication schemes
> for automatic authentication:
> * NTLM
> Uses Windows NTLM authentication
> * Negotiate (SPNEGO)
> Uses NTLM or Kerberos depending of what is supported by server and client.
> NTLM is not documented AFAIK, while Negotiate (SPNEGO) is documented
> by RFC 4559 
> Serf supports only Negotiate authentication schemes. Which
> automatically provides you NTLM or Kerberos.
> mod_auth_sspi can be configured to use Negotiate protocol using
> "SSPIPackage Negotiate" server side directive. Bert reported that with
> "SSPIPackage Negotiate" is working fine, but neon doesn't.
> My position is that serf should use only Negotiate authentication
> scheme if server supports both NTLM and Negotiate authentication
If existing 1.7, 1.6 etc clients do not support this, then your
position is untenable, one might even say ludicrous. That is why I am
asking for more explanation. Surely this cannot be what you are
We can all agree we have a significant number of existing users using
an automatic authentication method with Windows. I am calling that
mod_auth_sspi. I guess to use your terms, that means NTLM. Are any
of these users using the SSPI negotiate option? If our pre-1.8
clients do not support that option then I would have to say No.
I fail to see how you can justify a veto here.
Received on 2013-06-20 16:01:14 CEST