SPNEGO APIs and Apache modules

Sam Hartman hartmans at MIT.EDU
Thu Sep 4 15:01:23 EDT 2003


>>>>> "Nebergall," == Nebergall, Christopher <cneberg at sandia.gov> writes:

    Nebergall,> If you hammer on a page with Internet Explorer it will
    Nebergall,> send what MIT Kerberos considers replays of the
    Nebergall,> gss-init-sec-context tokens.  So in order to get
    Nebergall,> around this you either need to always use SSL and
    Nebergall,> disable the replay cache on the server, (Which unless
    Nebergall,> the api has changed in recent versions of MIT Kerberos
    Nebergall,> there is no api to do this), or it might also work to
    Nebergall,> tweak MIT's replay cache to include sequence
    Nebergall,> numbers. (MS seems to pick a random number for their
    Nebergall,> initial sequence number, and these seem to change with
    Nebergall,> each request.)

Disabling the replay cache for this protocol would be a bad idea from
a security standpoint.



More information about the Kerberos mailing list