We're having a problem surrounding Tomcat when using NTLM authentication (Windows NT/2000 "single sign-on" through IE), when Internet Explorer decides that it should use HTTP 1.0.
The problem is that NTLM _must_ go three times "back-and-forth" on the same connection. It is a connection-level authentication mechanism, rather than a session-oriented mechanism, probably violating a dozen RFCs. However, this requires that the server does "Keep-Alive" connections. The whole system works like a charm with HTTP 1.1, where Tomcat is eager to do keep-alive. But, if the browser is set up to do HTTP 1.0 only (as you can with IE, also through the policy system for windows, as a company here have done!), then Tomcat refuses to do keep-alive. A RFC out there (http:1.0 2068) states that if the client adds the string "Connection: Keep-Alive", then the server should still do keep-alive, even on 1.0. This is not the fact with Tomcat (4.1.12); it always and still closes the connection if the client requests HTTP 1.0 _with_ "Connection: Keep-alive" (as verified using telnet). We've banged our heads against this for some time now, and would like to know if anyone have any ideas for solutions. One idea that haven't been exhausted yet is whether any of the connectors available between apache httpd and tomcat will behave differently that tomcat's native http connector? Is this an probable avenue? Any help would be greatly apreciated! PS: Check out the excellent jcifs project for more background on NTLM and CIFS, http://jcifs.samba.org/ -- Mvh, Endre Stølsvik M[+47 93054050] F[+47 51625182] Developer @ CoreTrek AS - http://www.coretrek.com/ CoreTrek corporate portal / EIP - http://www.corelets.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
