6 Replies Latest reply on Oct 22, 2012 6:08 AM by luca.scamoni

    Kerberos and NTLM authentication fallback


      I'm facing this problem with MWG configured to authenticate clients using kerberos or NTLM as a fallback mechanism.


      • upon submitting the GET request the client receives a 407 response asking to authenticate using Negotiate or NTLM
      • here three things may happen:
        1. the client has or negotiates a valid kerberos ticket and submits the GET request including the krbtkt using negotiate method; OK
        2. the client doesn't know how to manage kerberos and choses to submit the GET request chosing the NTLM method; OK
        3. the client can't (or won't) negotiate a valid kerberos ticket and submits the GET request including the NTLMSSP using negotiate method; KO

      this last case leads to the browser showing the classic "unable to connect" message.


      A tcpdump of case 1:


      frame 839:


      frame 847:


      frame 879 after kerberos ticket negotiation:


      leading to the final 200/OK


      A tcpdump of case 3:


      frames 379 and 384 are similar to 839 and 847 above. Then frame 388:


      sends the negotiate request using NTLMSSP and MWG answers in frame 398:


      here traffic ends and IE shows the can't connect message


      Here the browser tells MWG that the strongest security method he knows is NTLM but MWG is unable to complete the NTLM handshake using negotiate.

      Can it be made to work as expected?