GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

JSoet jordan.soet at ca.ibm.com
Fri Aug 26 15:32:49 EDT 2016


> So, you should have a look at what travels between the peers. 

Thanks, Rick, I looked into it, but my negotiate messages look like this: 

"Negotiate YIID..." which I think means that they're kerberos messages?
Anyone have any other ideas of what could be causing the continue_needed
message then? Could it be something with the DNS, I'm not really that
confident of my DNS setup, but don't really know what to look into to
determine if it's properly set up? (Although I also have
ignore_acceptor_hostname = true and I'm passing GSS_C_NO_CREDENTIAL to
gss_accept_sec_context, so I'm not sure if that even matters?)

I also noticed that if I switch the server back as it was before (with the
keytab for the service principal of the Active Directory kdc, and the
previous hostname, although with the krb5.conf still pointing at both
realms) and then try and do a login when I have a ticket of one of the users
from the new MIT realm it also gives me a continue_needed, so could it be
something to do with the tickets themselves? I've noticed that the tickets
'renew until' time is already passed (but the tickets don't expire until 12
hrs in the future), but I'm not sure what to change to make the renew time
longer, the krb5.conf on the client has renew_lifetime set as 7d... And in
the kdc.conf on the kdc server the max_renewable_life is set as 5d... ?





--
View this message in context: http://kerberos.996246.n3.nabble.com/GSS-S-CONTINUE-NEEDED-when-doing-Kerberos-authentication-tp45900p45912.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list