HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth

Greg Hudson ghudson at MIT.EDU
Thu Nov 14 12:04:03 EST 2013

On 11/14/2013 08:49 AM, Manish Gupta wrote:
> but we read that some time multi-leg Kerberos can ask from client
> token more than once to verify client, it is mentioned in that case we need
> to read inToken from server, feed it again in init_sec_context.

Perhaps there was a miscommunication on this point.  Kerberos with
mutual authentication involves two calls to gss_init_sec_context on the
initiator, but the second call does not produce a token.  Only DCE-style
Kerberos authentication (which as far as I know is never used with HTTP)
would require multiple tokens from the client.

> We never came across any case, we tested with many IIS implementations
> sever accepts client in just one shot.
> Can  we assume that for HTTP, it is safe to call init_sec_context
> just once, to get 200 OK reply from HTTP server.

It is safe with these caveats:

1. You are embedding mechanism-specific knowledge into your application.

2. If you are doing mutual authentication and do not call
gss_init_sec_context a second time, then (a) you haven't authenticated
the server to the client, and (b) the client-side context is incomplete.
 But since HTTP negotiate never uses the established context (as far as
I know), (b) is not a problem.

More information about the Kerberos mailing list