GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?
Jordan Soet
Jordan.Soet at ca.ibm.com
Mon Aug 29 18:25:52 EDT 2016
Thanks for the help, when I looked at the output, it contained mech
1.3.6.1.5.2.5 which I guess is GSS_IAKERB_MECHANISM ... Looking into that
I think I had a somewhat similar problem to this:
http://stackoverflow.com/questions/23759016/spnego-kerberos-no-credential-found-error-with-requests-from-linux-client
But it wasn't a problem with my reverse dns - that was set up properly,
but the problem was some errant capitalization of the service principal in
the kdc database. When I looked at the wireshark output I saw that it was
the TGS-REQ was failing with an "UNKNOWN_SERVER" error, and looking into
that a bit more I realized I had a problem with the name. When using AD I
had had a SPN with CamelCase and that hadn't caused a problem, but with
the MIT KDC it did, which was a stupid problem that I should've figured
out.
Thanks for your help :)
Thanks,
Jordan Weitman-Soet
Safer Payments Software Developer
Phone: 1-778-327-7338 | Tie-Line: 3177338 | Mobile: 1-778-867-5683
E-mail: Jordan.Soet at ca.ibm.com
1190 Homer St Suite 401
Vancouver, BC V6B 2X6
Canada
From: Rick van Rein <rick at openfortress.nl>
To: Jordan Soet/CanWest/IBM at IBMCA
Cc: kerberos at mit.edu
Date: 08/27/2016 05:03 AM
Subject: Re: GSS_S_CONTINUE_NEEDED when doing Kerberos
authentication?
Hi Jordan,
> I looked into it, but my negotiate messages look like this:
>
> "Negotiate YIID..." which I think means that they're kerberos messages?
You should base64-decode it [Section 4.1 of RFC 4559] and dump that as
GSSAPI content which, at least in this early phase, is DER-encode. You
should make a dump of the decoded binary content with a tool like "openssl
asn1parse" with a few layout options or, for much more/better information,
with my Python script on
https://github.com/vanrein/hexio/blob/master/derdump
There will be a number of OIDs to signal content following; these you can
lookup on duckduckgo.com. You should see a general offer packet providing
the available mechanisms, followed by one that it takes a proactive guess
it -- normally Kerberos.
If you're still confused, you could also try sending the output here.
-Rick
More information about the Kerberos
mailing list