On Mon, Aug 11, 2014 at 03:25:08PM -0700, Chris Brannon wrote: > Adam Thompson writes: > > > Thanks, commit pushed. > > Sounds good. I'd still love to know why the auth negotiation is broken. > Is it something that needs to be reported upstream to the curl people? I'm not sure tbh. Looking on the internet suggests they've been told, but it may be worth looking through their bug tracker to check. The basic problem is that, when you don't have Kerberos credentials set up, the Negotiate auth fails and libcurl then errors out as it happens after the authentication check round-trip (i.e. libcurl has already decided which auth method it's going to use and doesn't fall back on an auth failure). In most cases this behavior of not falling back on auth failures is perfectly sane (and probably desirable) since it prevents doing something unfortunate like falling back from digest to basic auth because the user wasn't authorized to view particular content. The problem is that microsoft IIS seems to like sending Negotiate auth headers with NTLM ones (not sure if it's an implementation, protocol or configuration thing or what, I'd need to check the NTLM and IIS docs). > The realm field from auth.c doesn't seem to be used after we switched > over to letting libcurl handle authentication. Ok, I'll remove it tonight or tomorrow in that case. Cheers, Adam.