HTTP Digest Authentication Problems (K 3.2.3/Apache 2.0.50)

[Martijn Klingens]

On Monday 23 August 2004 23:05, Sean Lynch wrote:
> > I believe in order to support IIS and SPNEGO some
> > changes are required and I'm not sure whether it's possible to make it
> > work at all on a non-MS system as this server apparently expects some
> > kind of NTLM authentication and just offers "Negotiate" because this is
> > the new standardized way of doing it whereas the old "NTLM" method is
> > proprietary.

That's actually not quite true. Microsoft IIS has several authentication 
formats. Apart from using client side certificates for authentication, which 
are a bit special there are Basic, Digest and NTLM ("Windows Integrated") 
authentication.

The latter is the preferred authentication method in Windows-centric 
environments (intranets) since the login credentials are automatically passed 
on, leading o single sign on. Also, while not exactly a secure authentication 
method in itself, it surely is a lot better than Basic and is even more 
secure than Digest in that the authentication uses decent hashes rather than 
the plaintext passes that Basic uses.

> Firefox works with it, for what its worth.

Firefox supports NTLM in recent versions.

At work I have the luxury to be able to control the intranet websites I need 
access to and I turned on Basic auth. If more security is required and/or you 
cannot turn on Basic because you're not the admin you're basically out of 
luck at the moment.

The only solution is to make kio_http support NTLM. I don't think you'd need 
to change much in the negotiate code. An IIS web site with both Basic and 
NTLM enabled already works since ages, so I assume it already works, unless 
this particular combination doesn't trigger Negotiate at all.

Martijn