401 unauth response in Kerberos

0
votes

Just noticed that with Kerberos authentication, client browser always gets a 401 response first (with WWW-Authenticate: Negotiate header) and in next request actual kerberos token is sent for authentication (handled internally by browser).

For first time its fine, but for every subsequent request why this process is repeated ? Once client knows that server support kerberos why dont client stores a cookie to indicate that every time I need to send auth token ?

I understand that the NTLM protocol is designed like this, but want to understand why ?

1
authenticationkerberosntlm

1 Answers

1
votes

HTTP is stateless. Unless the server tells the client it should persist a state (via server cookie), the client should never assume anything about the server's intent.

More to the point it's wrong to assume that either party can always do Kerberos. The server originally said it wanted to Negotiate, and Negotiate contains a set of available protocols in preferred order (Kerberos, NTLM, etc.). A client can do Kerberos when it has line of sight to a KDC, but it can do NTLM in any/most circumstances, and it prefers Kerberos.

Additionally, once the client is authenticated the server may respond with a session cookie. The browser doesn't understand the contents, so it has no idea what happened. The server must then always indicate to the browser that it needs to auth up again (via 401 + WWW-Auth).