HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth
Greg Hudson
ghudson at MIT.EDU
Thu Nov 14 12:04:03 EST 2013
On 11/14/2013 08:49 AM, Manish Gupta wrote:
> but we read that some time multi-leg Kerberos can ask from client
> token more than once to verify client, it is mentioned in that case we need
> to read inToken from server, feed it again in init_sec_context.
Perhaps there was a miscommunication on this point. Kerberos with
mutual authentication involves two calls to gss_init_sec_context on the
initiator, but the second call does not produce a token. Only DCE-style
Kerberos authentication (which as far as I know is never used with HTTP)
would require multiple tokens from the client.
> We never came across any case, we tested with many IIS implementations
> sever accepts client in just one shot.
> Can we assume that for HTTP, it is safe to call init_sec_context
> just once, to get 200 OK reply from HTTP server.
It is safe with these caveats:
1. You are embedding mechanism-specific knowledge into your application.
2. If you are doing mutual authentication and do not call
gss_init_sec_context a second time, then (a) you haven't authenticated
the server to the client, and (b) the client-side context is incomplete.
But since HTTP negotiate never uses the established context (as far as
I know), (b) is not a problem.
More information about the Kerberos
mailing list