HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth

Greg Hudson ghudson at MIT.EDU
Wed Nov 13 11:40:13 EST 2013

On 11/13/2013 02:46 AM, Arpit Srivastava wrote:
> The expected response is HTTP 401 with a token (which I will again feed to
> init_sec_context to generate the next token to be sent to server).

Mutual authentication only requires a token from server to client.  It
does not require a second token from client to server.  (There is a mode
of the Kerberos mechanism which does involve a second client->server
token, but it is only used with DCE RPC.)

> 1. When to stop the context establishment loop - when I receive the
> intended HTTP reponse (and not HTTP 401) or when context.isEstablished()
> becomes true ?

The latter; but the last token may not be generated by gss_init_sec_context.

> 2. Is this behaviour correct - getting the HTTP response which is not HTTP
> 401 even if the context is not fully established ?

It seems correct.  The server has gotten all the authentication
information it expects to get from the client.

More information about the Kerberos mailing list