SPNEGO APIs and Apache modules
Sam Hartman
hartmans at MIT.EDU
Thu Sep 4 15:01:23 EDT 2003
>>>>> "Nebergall," == Nebergall, Christopher <cneberg at sandia.gov> writes:
Nebergall,> If you hammer on a page with Internet Explorer it will
Nebergall,> send what MIT Kerberos considers replays of the
Nebergall,> gss-init-sec-context tokens. So in order to get
Nebergall,> around this you either need to always use SSL and
Nebergall,> disable the replay cache on the server, (Which unless
Nebergall,> the api has changed in recent versions of MIT Kerberos
Nebergall,> there is no api to do this), or it might also work to
Nebergall,> tweak MIT's replay cache to include sequence
Nebergall,> numbers. (MS seems to pick a random number for their
Nebergall,> initial sequence number, and these seem to change with
Nebergall,> each request.)
Disabling the replay cache for this protocol would be a bad idea from
a security standpoint.
More information about the Kerberos
mailing list