- From: Mark Pauley <mpauley@apple.com>
- Date: Fri, 2 Apr 2010 15:23:14 -0700
- To: Jamie Lokier <jamie@shareable.org>
- Cc: Adrien de Croy <adrien@qbik.com>, ietf-http-wg@w3.org
I'm talking about the first NTLM leg here, once we've already established that we need to authenticate, and we've decided that the authentication method will be NTLM. As far as I can understand, unless the proxy server can break the NTLM sequence and simply forward the request when we send the initial NTLM salt, we will always expect a 4xx response from the first request sent in the NTLM sequence. On Apr 2, 2010, at 3:20 PM, Jamie Lokier wrote: > Mark Pauley wrote: >> Practically however: I've seen that Microsoft proxy servers and web >> servers that use NTLM authentication always ignore payload sent with >> the initiation of the NTLM authentication. In essence, the first >> request isn't really HTTP because the client really expects the >> server to respond only with a 4xx message. > > A proxy is free to forward your request to IIS between 10am and 2pm, > and to forward your request to Apache on a Linux box with no > authentication after 2pm. So it is, alas, broken in this scenario. > But that's the nature of the NTLM beast. > > -- Jamie
Received on Friday, 2 April 2010 22:23:47 UTC