Reputation: 674
Internet Explorer code paths when receiveng a Negotiate header
Is there some kind of documentation on what IE does when receiving a Negotiate Authorize header?
Something like: IE first check if the URL is in the intranet zone. If not it response always a NTLM Authorize. Then it does a name resolution bla bla Then it constructs a SPN using this and that and it sends the SPN to its Active Directory. If the SPN not in ACtive Directory it falls back To NTML, etc etc...
Looking into the web I can only see a big compilation of checklists or posibles workarounds or advise like "make sure dns Works properly", but I didn't found any place that explains why the DNS should work properly, ie when and how the IE uses the DNS to decide if it tries Kerberos or NTLM or nothing at all...
I found people stating that Kerberos doesn't work with IP adresses but I don't get why. If DNS reserve works the browser could figure out the name,..
EDITED: I think i'm interested in the algorithm used by SSPI's InitializeSecurityContext (using NEGOTIATE) in order to choose between Kerberos or NTLM as the prefered mechtype. Anyone know if it is documented in some place?
Upvotes: 0
Views: 64
Answers (1)
Reputation: 18415
You won't get any documentation on Microsoft's internal implemenentation details. All you have is trial and error.
Upvotes: 2
Related Questions
- What TargetName to use when calling InitializeSecurityContext (Negotiate)?
- Resolving Kerberos vs NTLM Authentication Issue in Cross-Domain SQL Server Connection
- 'console' is undefined error for Internet Explorer
- Running Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on the same machine
- CAS with SPNEGO always falls back to NTLM
- Defective token detected - IWA with SPNEGO on tomcat
- Cookie blocked/not saved in IFRAME in Internet Explorer
- Apereo CAS use NTLM instead of Kerberos