|
Single Sign On server for IBM WebSphere, Lotus Domino and Microsoft Windows workstations
|
Change ssl client to default to "TLSv1.2" rather than "SSL"
Now works with NTLMv2, the default used by Windows 7 workstations and Windows 2008 servers
An optimization was added to booster ESSO a while back that checked the booster session id:
> _pma_sess_id=2-11AD96187BA-11AD9662D5F;
To determine if authentication should reoccur. If there is a valid bootser esso session, then skip the authentication. IE kills this optimization, because the ltpa token is valid and the booster session is valid BUT it sends Content-length: 0 and and Authorization: headers.
We have removed the booster session checking. This means that every request will require the small overhead of reparsing all the cookies.
see: http://blogs.msdn.com/david.wang/archive/2005/12/01/HTTP-POST-Fails-for-Anonymous-Authentication.aspx
Added code to always remove the "Authorization:" http header so no remnants of the NTLM/SPNEGO handshake is passed to the backend server. This was causing a problem for IIS as IIS was attempting to process the handshake itself. This issue only occurred for IE browsers POSTing data as IE would include the last part of the handshake again in the final POST.
Fixed a regression bug introduced during the implementation of SPNEGO/Kerberos authentication. The issue is internet explorer sends a POST with content length of zero along with a new authentication. The old code was ignoring this re-authentication. For more information on the IE6 behaviour, please see http://www.websina.com/bugzero/kb/browser-ie.html
|