Not sure. I'll read a bit more about Negotiate, GSS etc. and try to set this up in a lab to get a better idea.

---
** [bugs:#1245] Failure to initialize GSSAPI breaks other authentication methods**
**Status:** open-confirmed
**Labels:** gssapi 
**Created:** Thu Jun 13, 2013 10:41 AM UTC by Alex Honore
**Last Updated:** Thu Jun 20, 2013 07:50 AM UTC
**Owner:** Daniel Stenberg
Bugfix #869 ("gss negotiate infinite loop if credentials invalid") apparently broke HTTP authentication when "WWW-Authenticate: Negotiate" is returned by the server as part of the available methods, but Kerberos credentials do not exist on the client. I believe this is due to the fact that we initialize all proposed methods before ruling some out based on the parameters passed by the user/caller (e.g. --ntlm). Before #869, a failure in initializing GSSAPI would not set data->state.authproblem to TRUE, and the connection would succeed using another method. After the fix, the connection fails even though GSSAPI is not a desired method.
Here is verbose output from a failing connection, connecting to MS Exchange EWS, looking to authenticate using NTLM.
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
curl -v -n --ntlm --data '@GetInboxRules.xml' -H 'Content-type: text/xml; charset=utf-8' 'https://mail.foobar.com/ews/exchange.asmx'
* About to connect() to mail.foobar.com port 443 (#0)
*   Trying 10.0.0.1... connected
[SSL handshake edited out for brevity]
* Server auth using NTLM with user 'baz'
> POST /ews/exchange.asmx HTTP/1.1
> Authorization: NTLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: mail.foobar.com
> Accept: */*
> Content-type: text/xml; charset=utf-8
> Content-Length: 0
> 
< HTTP/1.1 401 Unauthorized
< Server: Microsoft-IIS/7.5
< Set-Cookie: exchangecookie=00000000000000000000000000000000; expires=Fri, 13-Jun-2014 10:18:58 GMT; path=/; HttpOnly
< WWW-Authenticate: NTLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1000' not found
WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="mail.foobar.com"
< X-Powered-By: ASP.NET
< Date: Thu, 13 Jun 2013 10:18:58 GMT
< Content-Length: 0
< 
* Connection #0 to host mail.foobar.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1245/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/subscriptions/>