Steve,

> > [...] That is, removing the flags seems to have done the trick.
>
> Whilst I have some experience in this area I'm not a security expert - I'm
> still learning in some respects ;-)
>
> What I did find from my own testing of the Kerberos 5 support I recently
> added for the email protocols was that these flags served no purpose, if
> you're not encrptying the data, so if you look at the new code in
> curl_sasl_sspi.c I simply pass zero - unless the mutual authentication flag
> is set in which case I pass in ISC_REQ_MUTUAL_AUTH (which we don't use in
> the NTLM code).
>
> > I have no explanation why the flags seem to have had such a negative
> > effect for some of the users.
> >
> > However, after googling again for some time I found this url
> >
> > and this url
>
> Interesting finds.
>
> > My conclusion is that it seems to be better to remove the flags.
>
> I'm all for removing them if it means we work out of the box with more
> proxy servers.
>
> Do you think it is worth passing a flag into those functions and
> setting the ISC_REQ_ flags if that flag is set - for the email
> protocols for example or not?

For the calls in curl_ntlm_msgs.c I probably wouldn't do that. However, I'm
no Windows SSPI expert.
 
> However, I have just tested this against and Exchange 2013 server with
> both single sign on and a specific user account (both with and without
> the domain) and all three tests succeeded with the ISQ_REQ_ flags as
> zero.
>
> Are you up to providing a patch - I can do it but it is your find so I
> would rather you are credited for the work ;-)

I just submitted a patch to the curl-library list. :-)

Thanks again for bearing with me throughout the process to analyze and to
finally fix the problem!

Regards,

Ulrich

-- 
E-Mail privat:  Ulrich.Telle_at_gmx.de
World Wide Web: http://www.telle-online.de
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html