MS SPNEGO Replay Detection

[Nebergall, Christopher]

I've been testing SPNEGO tokens sent by Internet Explorer and the token's
internal Kerberos gss_init_sec_context token sent by IE are occasionally
being seen as a replay by MIT Kerberos.  This normally only occurs when I
try to load a page in apache with several images and I frequently reload the
page.

Here is some sample data from the krb5_authenticator structure that came in
the Microsoft Kerberos gss-init-sec-context token.

cusec 704858, ctime 1048017875, seq_number 426449224
*cusec 814233, ctime 1048017875, seq_number 411358733
*cusec 814233, ctime 1048017875, seq_number 411448245
cusec 829858, ctime 1048017875, seq_number 411151750
cusec 907983, ctime 1048017875, seq_number 414548316
cusec 532983, ctime 1048017879, seq_number 450799590
cusec 579858, ctime 1048017879, seq_number 449175263
cusec 595483, ctime 1048017879, seq_number 449262226
cusec 642358, ctime 1048017879, seq_number 449642092
cusec 657983, ctime 1048017879, seq_number 449731565
cusec 767358, ctime 1048017879, seq_number 452922215
*cusec 829858, ctime 1048017879, seq_number 450993440
cusec 845483, ctime 1048017879, seq_number 451762662
*cusec 829858, ctime 1048017879, seq_number 451149585

The cusec times with an asterisk have identical cusec and ctime fields, and
are seen as a replay by MIT Kerberos, but are not actually replays, because
the sequence numbers are different.  MIT Kerberos seems to start seq_numbers
at zero, but MS starts at some arbitrary value.  Does Microsoft implement
replay detection differently than MIT Kerberos?  If so, which is the correct
way?

Thanks,
Christopher Nebergall