ID:	5533	Fixed in:
Issue Date:	2009-03-11 13:46 AEST	Owner:	CVS Support
Last Modified:	2009-03-11 13:46 AEST	Reporter:	Arthur Barrett
Current Est.	0.0 hours	% Complete:	0.0
Status:	NEW /	Severity:	enhancement

Affected:	2.5.03
Description:	SSPI is always 'not an encrypted connection' for 'require encryption'

Actions:

2009-03-11 13:46 AEST by Arthur Barrett - If the server option 'require encryption' is enabled then SSPI is NOT allowed as a connection protocol.

This is is a deliberate decision since the 'default' negotiated protocol uses NTML unless the user 
specifically alters the Active Directory or the CVSNT SSPI protocol library to only use Kerberos.

However if the CVSNT SSPI protocol library is limited to kerberos, the SSPI protocol sill still not be 
accepted.  This is a bug since Kerberos is a secure protocol.

The init() function in sspi.cpp needs to set valid_elements=valid_elements|flagAlwaysEncrypted if the 
global setting SspiKerberos (bKerberos) is true and the global settings SspiNtlm, SspiNegotiate, and   SspiSchannel (bNtlm, bNegotiate, SspiSchannel) are false.

Note: on the server the SSPI protocol may not even be loaded unless this is done because CProtocolLibrary::FindProtocol() checks it.

Query page