GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

Jordan Soet Jordan.Soet at ca.ibm.com
Mon Aug 29 18:25:52 EDT 2016 

Thanks for the help, when I looked at the output, it contained mech 
1.3.6.1.5.2.5 which I guess is GSS_IAKERB_MECHANISM ... Looking into that 
I think I had a somewhat similar problem to this: 
http://stackoverflow.com/questions/23759016/spnego-kerberos-no-credential-found-error-with-requests-from-linux-client

But it wasn't a problem with my reverse dns - that was set up properly, 
but the problem was some errant capitalization of the service principal in 
the kdc database. When I looked at the wireshark output I saw that it was 
the TGS-REQ was failing with an "UNKNOWN_SERVER" error, and looking into 
that a bit more I realized I had a problem with the name. When using AD I 
had had a SPN with CamelCase and that hadn't caused a problem, but with 
the MIT KDC it did, which was a stupid problem that I should've figured 
out. 

Thanks for your help :)

Thanks,

Jordan Weitman-Soet 
Safer Payments Software Developer 

Phone: 1-778-327-7338 | Tie-Line: 3177338 | Mobile: 1-778-867-5683 
E-mail: Jordan.Soet at ca.ibm.com 


1190 Homer St Suite 401 
Vancouver, BC V6B 2X6 
Canada 




From:   Rick van Rein <rick at openfortress.nl>
To:     Jordan Soet/CanWest/IBM at IBMCA
Cc:     kerberos at mit.edu
Date:   08/27/2016 05:03 AM
Subject:        Re: GSS_S_CONTINUE_NEEDED when doing Kerberos 
authentication?



Hi Jordan,

> I looked into it, but my negotiate messages look like this: 
>
> "Negotiate YIID..." which I think means that they're kerberos messages?

You should base64-decode it [Section 4.1 of RFC 4559] and dump that as 
GSSAPI content which, at least in this early phase, is DER-encode.  You 
should make a dump of the decoded binary content with a tool like "openssl 
asn1parse" with a few layout options or, for much more/better information, 
with my Python script on 
https://github.com/vanrein/hexio/blob/master/derdump

There will be a number of OIDs to signal content following; these you can 
lookup on duckduckgo.com.  You should see a general offer packet providing 
the available mechanisms, followed by one that it takes a proactive guess 
it -- normally Kerberos.

If you're still confused, you could also try sending the output here.

-Rick

More information about the Kerberos mailing list