On Mon, 16 May 2011, Daniel Stenberg wrote: > On Mon, 16 May 2011, David Woodhouse wrote: > Hm, is this "try next method" unique for Kerberos/Negotiate? Are there other > methods that we can expect to be able to fail "early" like that?
Well, it's not so much about failing early. Surely the distinction is single-sign-on. In the case of Kerberos (if you have a TGT) or NTLM (if running winbind) you can attempt to authenticate *automatically* without having to interact with the user. You try those, and *if* they fail you fall back to asking the user for a password. > Certainly trying NTLM next can't be really universal as surely not every > server out there will offer exactly those two authenticaiton methods in pair? > What I mean is that the "try next" logic would have to be able to try the > next method in order of preference where NTLM is one of the possible choices. > Or am I wrong? Yes, absolutely. Try the next method in order of preference, if SSO fails. Note that if NTLM with SSO fails, you might actually try NTLM with a user-provided password next. Not give up on NTLM entirely. -- dwmw2 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
