HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth

Manish Gupta logonmanish at
Thu Nov 14 08:49:47 EST 2013

 Hi Greg,

We are developing a HTTP client which uses Kerberos,
we are calling init_sec_context just once, no while loop around it
and output token generated by this call is always accepted by server,
and server returns 200 OK with response.
but we read that some time multi-leg Kerberos can ask from client
token more than once to verify client, it is mentioned in that case we need
to read inToken from server, feed it again in init_sec_context.
We never came across any case, we tested with many IIS implementations
sever accepts client in just one shot.
Can  we assume that for HTTP, it is safe to call init_sec_context
just once, to get 200 OK reply from HTTP server.
or in some scenarios where delegation etc is enabled,
(multi-tier implementation) it may not work?


On Wed, Nov 13, 2013 at 10:10 PM, Greg Hudson <ghudson at> wrote:

> On 11/13/2013 02:46 AM, Arpit Srivastava wrote:
> > The expected response is HTTP 401 with a token (which I will again feed
> to
> > init_sec_context to generate the next token to be sent to server).
> Mutual authentication only requires a token from server to client.  It
> does not require a second token from client to server.  (There is a mode
> of the Kerberos mechanism which does involve a second client->server
> token, but it is only used with DCE RPC.)
> > 1. When to stop the context establishment loop - when I receive the
> > intended HTTP reponse (and not HTTP 401) or when context.isEstablished()
> > becomes true ?
> The latter; but the last token may not be generated by
> gss_init_sec_context.
> > 2. Is this behaviour correct - getting the HTTP response which is not
> > 401 even if the context is not fully established ?
> It seems correct.  The server has gotten all the authentication
> information it expects to get from the client.
> ________________________________________________
> Kerberos mailing list           Kerberos at

It is hard to tell the world we live in, is either reality or dream

More information about the Kerberos mailing list