I *think* the problem is that Microsoft is returning a "200 OK" message
but it has
additional authentication header fields attached to it. If they were
using the 401
code, that would be OK, but they are using 200 and adding the final
mutual-auth
GSSAPI tokens to it, which, I believe, is a vi
Could you elaborate on how this would break the HTTP spec? I was
under the (admittedly naive) impression that more or less any
challenge-response authentication mechanism could be implemented in
HTTP via the HTTP 401 error code. So presumably I would think that
GSS context tokens could