SPNEGO and MIT Kerberos V5 Usage

Arpit Srivastava arpit.orb at gmail.com
Wed Dec 11 08:02:23 EST 2013

Hi All,

I have a client application (that calls GSSAPI apis) which is doing HTTP
Negotiate authentication by adding Authorization header with GET requests
(as per RFC 4559).
Although the authentication is successful but there is difference in packet
dumps when I try to use Internet Explorer for same. Following is the packet
structure for both successful cases:

*In Internet Explorer: *
Authorization: Negotiate Token
Simple Protected Negotiation
mechType (MS KRB5, KRB5, ISO, NTLMSSP)

*In my client application (Kerberos V5 OID passed ):*
Authorization: Negotiate Token
GSS API (OID of Kerberos V5)

*Now, to avoid this discrepancy in packet formation, I tried passing OID of
SPNEGO to gss_init_sec_context() api instead of OID of Kerberos in mechtype
in my client. But it fails and I get Minor Status 1004.  *

I am not sure where I am going wrong to use SPNEGO as shown in packet dumps
above (I am using MIT Kerberos V5 Library 1.1.12 which supports SPNEGO).
Please let me know where I am going wrong.
Thanks !


More information about the Kerberos mailing list