GSSAPI and SPNEGO question

Greg Hudson ghudson at mit.edu
Mon Jul 11 18:40:02 EDT 2016


On 07/11/2016 06:14 PM, JSoet wrote:
> I'm just trying to understand why this works? Am I misunderstanding the
> specification and the whole SPNEGO token is supposed to be passed into the
> GSSAPI call and all the details about how the token is structured are just
> for the GSSAPI implementors?

SPNEGO is intended to be used just like any other GSS mechanism.  It has
an OID (1.3.6.1.5.5.2), and its tokens are framed with this OID and can
be distinguished from tokens for other mechanisms.  RFC 4178 is there
for the benefit of the mechanism implementor.

(I'm not 100% sure this is also true on Microsoft using SSPI, but it's
definitely the case for MIT krb5 and Heimdal.)


More information about the Kerberos mailing list