On Thu, Jun 9, 2011 at 2:09 PM, Richard Silverman <res_at_qoxp.net> wrote:
> On Thu, 9 Jun 2011, Emil Assarsson wrote:
>
>> Hi,
>>
>> For some years ago I tested the kerberos negotiation support agains
>> our intranet witch is based on IIS. It worked fine then. I think I was
>> using Ubuntu Intrepid in those days.
>>
>> I tried this now but I can't get it to work. It tries to send a ticket
>> to the server but it gets rejected. I suspect that the server wants to
>> have a SPNEGO ticket instead of the GSS ticket.
>
> This may not be the problem; I have no trouble using "curl --negotiate"
> against an IIS server.  I suggest you examine the HTTP traffic with
> Wireshark.  It can decode the HTTP Negotiate headers down through GSSAPI to
> Kerberos, and perhaps reveal what's going on -- likely in the response code
> in the Kerberos AP_REP message returned from the server.

I used wireshark just in this way to detect that it tried to use
gss-negotiate instead of spnego.
Firefox uses spnego and it works. Curl uses gss-negotiate and it
doesn't. Both of them acquires a ticket for the same Principal.

I have tried to use curl 7.21.6 but no progress. I can't get the
fbopenssl installation right to test spnego with curl... still working
on it.

-- 
Emil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html