> Robert Collins wrote:
>
> > The challenge is tied to a connection in the MS protocol,
> we only find
> > the username on the response, so any caching we do has to
> be tied to a
> > machine(It's the only info we can use), and we find the
> username on the
> > client response. As such we are one step behind the game, and any
> > problems (users moving machines, multi-user machines) will
> surface after
> > the client has tried authenticating.
>
> Then I am misinformed. According to the info I have the client first
> presents it's identification including workstation name and userid,
Yes, you are.
It first presents its workstation name and domain, and even
that not always.
Before you ask: yes, I have network traces showing such a behaviour.
> which makes sense to me as I thought you need to know the
> user domain to
> be able to get the challenge from the correct domain controller...
Correct. I am puzzled as to what happens when the client offers no
such information, maybe the proxy is supposed to ask a challenge to his
own DC, or his local authentication service.
> > As above the issue is: who do we replay it to? (must be
> machine as that
> > is the only info we have when we present the challenge)
> > What if that machine has multiple users (a la metaframe or a big
> > X-client)? (We're stuffed - every connection will be for a different
> > user and a cached challenge is only valid for a single user).
>
> A connection where the same identification is presented.
Could be reasonable, but further testing is required.
> > For the moment I'm going to leave the possibilities of
> caching to the
> > side. I will put together a update for the NTLM notes page though.
>
> That is fine. However, keep in mind that it should be done on Basic
> authentication even if not possible in NTLM.
Definitely.
/kinkie
Received on Tue Aug 01 2000 - 09:23:25 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:33 MST