[proposed enhancement] Option to suppress NTLM (forceNegotiate)?

Question

[proposed enhancement] Option to suppress NTLM (forceNegotiate)?

fusscreme opened this issue 3 years ago · comments

Hi,

Is there a possibility to suppress NTLM authentification and to only use Negotiate (Kerberos)? If someone brings their own device I cannot force a group policy object (GPO) to list the url in the intranet zone whitelist. And then they get this ugly popup in the browser, asking for credentials.
Therefore a option forceNegotiate just like forceNTLM would be useful.

Thank you.

Jean-Louis GUENEGO · Answer 1 · Mon Oct 18 2021 16:26:58 GMT+0800 (China Standard Time)

I will consider it.

…

On Sat, Oct 16, 2021 at 10:43 PM fusscreme ***@***.***> wrote: Hi, Is there a possibility to suppress NTLM authentification and to only use Negotiate (Kerberos)? If someone brings their own device I cannot force a group policy object (GPO) to list the url in the intranet zone whitelist. And then the get this ugly popup in the browser, asking for credentials. Therefore a option forceNegotiate just like forceNTLM would be useful. Thank you. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#114>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAVV6TVHZFGACNBWOQJLLW3UHHPVZANCNFSM5GEAJUOA> .

-- Jean-Louis GUENEGO Tel : +33 6 12 19 81 48 mail: ***@***.***

James G · Answer 2 · Tue May 24 2022 22:45:48 GMT+0800 (China Standard Time)

I think this would be a good feature. node-sspi allows you to specify which SSPI packages to use with an array

sspiPackagesUsed:
default to ['NTLM']. An array of SSPI packages used. To obtain a list of all SSPI packages available on your server, download source code of mod-auth-sspi, then run bin\sspikgs.exe from your server's DOS console.