I am writing a WEB Service that is using Negotiate protocol with the MS api
AcceptSecurityContext. If the browser is not logged into the domain but a
group and tries to access the service the browser will respond with a
WWW-Negotiate header passing a token to the service. However the browser will
return a Page Cannot be displayed if the output of the AcceptSecurityContext
returned a SEC_I_CONTINUE_NEEDED and the output buffer is sent back. I would
have expected the browser to prompt for credentials or make a new request and
choose another option when the cycle repeats. If this is the desired
operation of the browser should I not return the output from the
SEC_I_CONTINUE_NEEDED and resend the 401 without the Negotiate as an option ?
By the way if I do a good NTLM the kerboros will succeed when tried again.
Just looking for the correct approach.