There is a bug in the currently shipping SPNEGO implementation (which
is in CFNetwork). This bug makes SPNEGO use the wrong case in part of
the server principal name. Well, it uses the right server principal
name, but some silly company in WA accidentally made canonical SPNEGO
use HTTP/<host> instead of http/<host>. It would not surprise me if
this bug had already been fixed for the next Tiger update.
CFNetwork is open sourced, so you can check there.
The CFNetwork SPNEGO doesn't pretend to be a pseudomechanism; I
wouldn't recommend trying to do that until the KITTEN working group
has finished the GSSAPI revisions, as there are a lot of places where
its not clear what a pseudo-mechanism should do (I tried wrapping up
some java SPNEGO stuff with the GSSAPI, and it got quite messy
figuring out what credentials and name types to ask for or report).
See also: CFHTTPAuthentication.
Simon
On Aug 9, 2005, at 4:38 PM, Nathan Herring wrote:
Given that Tiger's Safari supports the Negotiate authentication
mechanism with at least support for Kerberos (although I also
expect it
supports NTLM), is it using some system library that exports the
GSSAPI
supporting Negotiate?
I'm thinking here of a library that is a thin wrapper to other
GSSAPI-exported libraries (e.g., Kerberos.framework), which might load
them as plugins (if possible?).
