#14 Support of NTLM

[Daniel Kouril]

When doing Negotiate the IE browser may choose to use NTLM if Kerberos isn't available on the client. Since several Kerberos implementations support NTLM under GSSAPI, the module could provide fallback to NTLM for clients that can't speak Kerberos. See also https://sourceforge.net/mailarchive/forum.php?thread_name=0DC212FE7F69B24F81D2C4F1E65FCC2303D55CA5%40svits11.main.ad.rit.edu&forum_id=18368

[thor heyerdahl]

I'd also support that. I'd like to recollect what I gathered from studying this:

- IE in every known version will, sometimes for discernible, often for arbitrary reasons, fall back to NTLMSSP auth even if Kerberos is available and working.
- MS won't fix that, since it's behaviour the ISS copes with.
- Multi-authentication is not really available in Apache (there are tries, but none of these seem to give the desired result).
- The only available option at the moment is switching to ISS, which is driving tears into the eyes of most people here.
- There is code available since 2005 by Jens B. Jorgensen (jbj1 <at> ultraemail.net), on the apache.mod-auth-kerb.general list, which allows mod_auth_kerb to also fall back to NTLMSSP. Also in above mentioned post, Bill Kuker seems to have integrated NTLM fallback.
- Implementing this would make the experience using mod_auth_kerb so much better
- I haven't found reasons against this (except security concerns, and ths fallback capability would of course have to be optional, steered by a config var)

Would a developer be so kind and give an answer to this matter? Sorry if I overlooked something, my week of investigating all this didn't produce a definite answer on any of these.

[Nick Pierpoint]

Did this ever progress? Any hope of Kerberos falling back to NTLMv2 authentication?