问题
I am trying to access a site that is password protected. It is not using basic authentication (even though the same user/pass box pops up in firefox) as the response header is WWW-Authenticate: Negotiate.
I want to automate the login process by sending the correct header.
In basic you would use something like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
What would I use for negotiate?
回答1:
The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token.
This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on):
- either NTLM
- or Kerberos.
See:
- Microsoft MSDN Library: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
- RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
回答2:
Putting this information here for future readers' benefit.
401 (Unauthorized) response header -> Request authentication header
Here are several WWW-Authenticate response headers. (The full list is at IANA: HTTP Authentication Schemes.)
WWW-Authenticate: Basic-> Authorization: Basic + token - Use for basic authenticationWWW-Authenticate: NTLM-> Authorization: NTLM + token (2 challenges)WWW-Authenticate: Negotiate-> Authorization: Negotiate + token - used for Kerberos authentication- By the way: IANA has this angry remark about Negotiate: This authentication scheme violates both HTTP semantics (being connection-oriented) and syntax (use of syntax incompatible with the WWW-Authenticate and Authorization header field syntax).
You can set the Authorization: Basic header only when you also have the WWW-Authenticate: Basic header on your 401 challenge.
But since you have WWW-Authenticate: Negotiate this should be the case for Kerberos based authentication.
来源:https://stackoverflow.com/questions/4265975/authentication-issues-with-www-authenticate-negotiate