GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

[Benjamin Kaduk]

On Thu, 25 Aug 2016, JSoet wrote:

> Hi, I'm implementing SPNEGO & Kerberos authentication in our application's
> webserver code and have it working fine when the KDC is Active Directory.
> I'm now testing it with an MIT KDC instance and when I attempt to
> authenticate a user who has a ticket from that KDC I get a
> GSS_S_CONTINUE_NEEDED status when I call gss_accept_sec_context...
>
> My understanding was that this couldn't happen for kerberos authentication
> though, and the GSS_S_CONTINUE_NEEDED is only for other potential
> authentication types. For example, when I was investigating other
> implementations the mod_auth_kerb module in the apache webserver and the
> kerberos module for the flask webserver both ignore the possibility of
> continuation and in the apache webserver it has this comment "This is a
> _Kerberos_ module so multiple authentication rounds aren't supported. If we
> wanted a generic GSS authentication we would have to do some magic with
> exporting context etc."

Some non-krb5 GSS mechanisms require multiple calls to
gss_accept_sec_context(); likewise if the negotiation portion of SPNEGO is
used (i.e., the client picks something that the server won't do).  But
it's hard to diagnose from just what has been said so far.  I would try
running the server with KRB5_TRACE set in the environment (a path to a log
file) and see if the trace output helps make things clear.  Otherwise,
it's probably going to be a matter of dissecting the actual protocol
messages exchanged, seeing what OIDs are sent, etc.

-Ben