Attempt to back off from Kerberos authentication if we don't have credentials.

If the user has a stale TGT, or is unable to generate a TGS for the server they are trying to communicate to, then generating an authentication token fails.
Rather than fail the entire network transaction in that case, we resend the request with an empty Authenticate (or Proxy-Authenticate) header, and remember that the Negotiate scheme is not a valid option for this particular transaction.

If the server responds back with headers like

WWW-Authenticate: Negotiate
WWW-Authenticate: Digest realm=foo

then the digest scheme is chosen in the next round.

BUG=33033
TEST=None

Review URL: http://codereview.chromium.org/3010010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@53002 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 1 deletions

diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc
index 2bf39be..d4ad1f9 100644
--- a/net/socket_stream/socket_stream.cc
+++ b/net/socket_stream/socket_stream.cc
@@ -905,9 +905,11 @@ int SocketStream::HandleAuthChallenge(const HttpResponseHeaders* headers) {
   }
 
   auth_identity_.invalid = true;
+  std::set<std::string> disabled_schemes;
   HttpAuth::ChooseBestChallenge(http_auth_handler_factory_, headers,
                                 HttpAuth::AUTH_PROXY,
-                                auth_origin, net_log_, &auth_handler_);
+                                auth_origin, disabled_schemes,
+                                net_log_, &auth_handler_);
   if (!auth_handler_.get()) {
     LOG(ERROR) << "Can't perform auth to the proxy " << auth_origin;
     return ERR_TUNNEL_CONNECTION_FAILED;