Steps to reproduce
As an example, IE is prompted with WWW-Authenticate: Negotiate, but responds with a NegoEx/NLMP when the server is expecting Kerberos. The server responds with an HTML Form (in order to collect a different set of credentials) with submit via POST, but the response is in the same protection space so would be truncated. The server is obliged to redirect to a different protection space before responding with the HTML Form.
Microsoft’s current solution to this issue is using the Internet registry setting "DisableNTLMPreAuth", but a website cannot expect clients to always have control over the browser. In the above example, the authentication mechanism is for users inside and outside of the domain.
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Kamen M.”
Changed Assigned To to “Ivan P.”
Changed Assigned To from “Ivan P.” to “IE F.”
Changed Status to “By design”
Changed Status from “By design” to “Won’t fix”