Attempt to back off from Kerberos authentication if we don't have credentials.

If the user has a stale TGT, or is unable to generate a TGS for the server they are trying to communicate to, then generating an authentication token fails.
Rather than fail the entire network transaction in that case, we resend the request with an empty Authenticate (or Proxy-Authenticate) header, and remember that the Negotiate scheme is not a valid option for this particular transaction.

If the server responds back with headers like

WWW-Authenticate: Negotiate
WWW-Authenticate: Digest realm=foo

then the digest scheme is chosen in the next round.

BUG=33033
TEST=None

Review URL: http://codereview.chromium.org/3010010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@53002 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 2 insertions, 1 deletions

diff --git a/net/http/http_auth_gssapi_posix.cc b/net/http/http_auth_gssapi_posix.cc
index a75b046..5c88375 100644
--- a/net/http/http_auth_gssapi_posix.cc
+++ b/net/http/http_auth_gssapi_posix.cc
@@ -725,6 +725,7 @@ int HttpAuthGSSAPI::GenerateAuthToken(const std::wstring* username,
                                       const std::wstring* password,
                                       const std::wstring& spn,
                                       std::string* auth_token) {
+  DCHECK(auth_token);
   DCHECK((username == NULL) == (password == NULL));
 
   if (!IsFinalRound()) {
@@ -821,7 +822,7 @@ int HttpAuthGSSAPI::GetNextSecurityToken(const std::wstring& spn,
                                         minor_status)
                << std::endl
                << DescribeContext(library_, scoped_sec_context_.get());
-    return ERR_UNEXPECTED;
+    return ERR_MISSING_AUTH_CREDENTIALS;
   }
 
   return OK;