GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

Rick van Rein rick at openfortress.nl
Sat Aug 27 08:02:53 EDT 2016


Hi Jordan,

> I looked into it, but my negotiate messages look like this: 
>
> "Negotiate YIID..." which I think means that they're kerberos messages?

You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI content which, at least in this early phase, is DER-encode.  You should make a dump of the decoded binary content with a tool like "openssl asn1parse" with a few layout options or, for much more/better information, with my Python script on https://github.com/vanrein/hexio/blob/master/derdump

There will be a number of OIDs to signal content following; these you can lookup on duckduckgo.com.  You should see a general offer packet providing the available mechanisms, followed by one that it takes a proactive guess it -- normally Kerberos.

If you're still confused, you could also try sending the output here.

-Rick


More information about the Kerberos mailing list