NTLM Authentication done even if not in AuthSchemas
Reported by
enri...@gmail.com,
Jul 9
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Steps to reproduce the problem: 1. Set the AuthSchemas to "basic,digest,negotiate" in registry 2. Try to authenticate to a site protected with Kerberos/Negotiate **in a different realm** (i.e. Kerberos has to fail) 3. Basic popup appears to collect credentials(?) 4. Submit any credentials in the popup, the Authorization Negotiate is "TlRMTVNTUA..." (NTLMSSP) What is the expected behavior? If kerberos is not available and NTLM is disabled, Chrome must not attempt NTLM What went wrong? Basic Popup displayed and NTLM Negotiate done even if NTLM is disabled in the registry Did this work before? N/A Chrome version: 59.0.3071.115 (Official Build) (64-bit) Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 29.0 r0
,
Jul 9
'ntlm' here refers to the 'ntlm' HTTP authentication scheme[1] and not the 'NTLM' mechanism that may be negotiated by SSPI while attempting to authenticate with the target. Once explicit credentials are involved, there's no advantage to using Basic over NTLM. Hence attempting NTLM if Kerberos failed as the underlying 'negotiate' mechanism is the expected behavior. [1]: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication |
||
►
Sign in to add a comment |
||
Comment 1 by dtapu...@chromium.org
, Jul 9