kerberos authentication with neon 0.29.3

Danil Shopyrin danil at
Wed Mar 24 18:36:25 EDT 2010

> How does this make a difference in the case reported?  After processing
> the 2xx response does it generate a new SSPI token and send a new Auth
> header in the next request?

No, the authentication process is finished after processing the 2xx
response. But it's very important to process the final leg token
because this allows clients to to check that server is "who he claims
to be".

> (Otherwise, isn't the behaviour exactly the same; the *server* doesn't care know whether or not the client
> processed the 200 response token)

Yes, server do not care about whether or not the client process the
2xx response token. But the client must care.

> A minor nit in the patch:
>> +static int verify_sspi(struct auth_request *req, auth_session *sess,
>> +                       const char *hdr)
>> +{
>> +    int ntlm = ne_strncasecmp(hdr, "NTLM ", 5) == 0;
> isn't it redundant to check that, since the verify_sspi() callback will
> only be used for Negotiate exchanges?

Good point. But maybe it's better to call verify_sspi() for NTLM too.
I'm not sure right now, but final legs *can* be also possible in NTLM

With best regards,
Danil Shopyrin
VisualSVN Team

More information about the neon mailing list