- /* If we have tried it already, then there is not point
- retrying it. */
- logputs (LOG_NOTQUIET, _("Authorization failed.\n"));
- }
- else
- {
- char *www_authenticate = resp_header_strdup (resp,
- "WWW-Authenticate");
- /* If the authentication scheme is unknown or if it's the
- "Basic" authentication (which we try by default), there's
- no sense in retrying. */
- if (!www_authenticate
- || !known_authentication_scheme_p (www_authenticate)
- || BEGINS_WITH (www_authenticate, "Basic"))
- {
- xfree_null (www_authenticate);
- logputs (LOG_NOTQUIET, _("Unknown authentication scheme.\n"));
- }
+ /* IIS sends multiple copies of WWW-Authenticate, one with
+ the value "negotiate", and other(s) with data. Loop over
+ all the occurrences and pick the one we recognize. */
+ int wapos;
+ const char *wabeg, *waend;
+ char *www_authenticate = NULL;
+ for (wapos = 0;
+ (wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
+ &wabeg, &waend)) != -1;
+ ++wapos)
+ if (known_authentication_scheme_p (wabeg, waend))
+ {
+ BOUNDED_TO_ALLOCA (wabeg, waend, www_authenticate);
+ break;
+ }
+
+ if (!www_authenticate)
+ /* If the authentication header is missing or
+ unrecognized, there's no sense in retrying. */
+ logputs (LOG_NOTQUIET, _("Unknown authentication scheme.\n"));
+ else if (BEGINS_WITH (www_authenticate, "Basic"))
+ /* If the authentication scheme is "Basic", which we send
+ by default, there's no sense in retrying either. (This
+ should be changed when we stop sending "Basic" data by
+ default.) */
+ ;