GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

Rick van Rein rick at openfortress.nl
Fri Aug 26 02:39:20 EDT 2016


Jordan,

> I haven't tried to implement the continuation of the context yet, because it
> will be a fair amount of work, so I thought I'd email the group to ask
> whether it's likely that there is just a problem with my setup, or if I'm
> mistaken and it is possible to get a continue_needed when working with
> Kerberos?

Have you had a look at the data that is actually exchanged?  SPNEGO is a
switch between mechanisms and may decide to change to another mechanism, for
whatever reason, including failure to use your MIT krb5 system.  But it
might also prefer to attempt another mechanism (or maybe none) initially.

You are correct that SPNEGO can make an educated guess and attach one
possible mechanism's output along with the SPNEGO bytes, in the hope
that it passes through directly; with Kerberos, that would mean that
it one exchange suffices.  But SPNEGO may have other things on its
mind as well.

So, you should have a look at what travels between the peers.

-Rick



More information about the Kerberos mailing list