HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth

Arpit Srivastava arpit.orb at
Wed Nov 13 02:46:28 EST 2013


I have mutual authentication enabled at AD. I am also requesting mutual
authentication for the security context in my code at client side.
I am generating a token using init_sec_context and sending it with
negotiate in authorization header of HTTP requests (AP-REQ).

I was expecting that, because mutual authentication is enabled, multiple
exchange of tokens between client and service server must take place before
context is established succesfully.
The expected response is HTTP 401 with a token (which I will again feed to
init_sec_context to generate the next token to be sent to server).

However, the actual behaviour is different. Instead of HTTP 401, I am
getting the requested HTTP webpage in the reponse alongwith a token. I am
not able to comprehend :

1. When to stop the context establishment loop - when I receive the
intended HTTP reponse (and not HTTP 401) or when context.isEstablished()
becomes true ?
2. Is this behaviour correct - getting the HTTP response which is not HTTP
401 even if the context is not fully established ?
3. Also, It would be great if someone can quickly elaborate the behaviour
of token exchanges in case of mutual authentication taking place.

Looking forward for help !


More information about the Kerberos mailing list