cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: problems using negotiate with sspi in 7.21.6

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 16 May 2011 18:58:03 +0200 (CEST)

On Mon, 16 May 2011, David Woodhouse wrote:

>> libcurl actually doesn't fall back to another auth. It picks the one auth
>> type it thinks is best out of the ones the server offers and if that fails,
>> the request fails. Why would it fall back and do another try?
>
> In Windows environments it seems quite common for Kerberos support to be
> *claimed* but not actually functional. We need to fall back to NTLM in that
> case.

Aha.

Hm, is this "try next method" unique for Kerberos/Negotiate? Are there other
methods that we can expect to be able to fail "early" like that?

Certainly trying NTLM next can't be really universal as surely not every
server out there will offer exactly those two authenticaiton methods in pair?
What I mean is that the "try next" logic would have to be able to try the next
method in order of preference where NTLM is one of the possible choices. Or am
I wrong?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-05-16