cURL / Mailing Lists / curl-library / Single Mail


Re: problems using negotiate with sspi in 7.21.6

From: David Woodhouse <>
Date: Mon, 16 May 2011 21:11:39 +0100 (BST)

On Mon, 16 May 2011, Daniel Stenberg wrote:

> On Mon, 16 May 2011, David Woodhouse wrote:
> Hm, is this "try next method" unique for Kerberos/Negotiate? Are there other
> methods that we can expect to be able to fail "early" like that?

Well, it's not so much about failing early. Surely the distinction is
single-sign-on. In the case of Kerberos (if you have a TGT) or NTLM (if
running winbind) you can attempt to authenticate *automatically* without
having to interact with the user. You try those, and *if* they fail you
fall back to asking the user for a password.
> Certainly trying NTLM next can't be really universal as surely not every
> server out there will offer exactly those two authenticaiton methods in pair?
> What I mean is that the "try next" logic would have to be able to try the
> next method in order of preference where NTLM is one of the possible choices.
> Or am I wrong?

Yes, absolutely. Try the next method in order of preference, if SSO fails.
Note that if NTLM with SSO fails, you might actually try NTLM with a
user-provided password next. Not give up on NTLM entirely.

List admin:
Received on 2011-05-16