On Mon, 16 May 2011, Daniel Stenberg wrote:

> On Mon, 16 May 2011, David Woodhouse wrote:
> Hm, is this "try next method" unique for Kerberos/Negotiate? Are there other
> methods that we can expect to be able to fail "early" like that?

Well, it's not so much about failing early. Surely the distinction is
single-sign-on. In the case of Kerberos (if you have a TGT) or NTLM (if
running winbind) you can attempt to authenticate *automatically* without
having to interact with the user. You try those, and *if* they fail you
fall back to asking the user for a password.
 
> Certainly trying NTLM next can't be really universal as surely not every
> server out there will offer exactly those two authenticaiton methods in pair?
> What I mean is that the "try next" logic would have to be able to try the
> next method in order of preference where NTLM is one of the possible choices.
> Or am I wrong?

Yes, absolutely. Try the next method in order of preference, if SSO fails.
Note that if NTLM with SSO fails, you might actually try NTLM with a
user-provided password next. Not give up on NTLM entirely.

-- 
dwmw2
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html