MS SPNEGO Replay Detection

Nebergall, Christopher cneberg at
Wed Mar 19 15:23:32 EST 2003

I've been testing SPNEGO tokens sent by Internet Explorer and the token's
internal Kerberos gss_init_sec_context token sent by IE are occasionally
being seen as a replay by MIT Kerberos.  This normally only occurs when I
try to load a page in apache with several images and I frequently reload the

Here is some sample data from the krb5_authenticator structure that came in
the Microsoft Kerberos gss-init-sec-context token.

cusec 704858, ctime 1048017875, seq_number 426449224
*cusec 814233, ctime 1048017875, seq_number 411358733
*cusec 814233, ctime 1048017875, seq_number 411448245
cusec 829858, ctime 1048017875, seq_number 411151750
cusec 907983, ctime 1048017875, seq_number 414548316
cusec 532983, ctime 1048017879, seq_number 450799590
cusec 579858, ctime 1048017879, seq_number 449175263
cusec 595483, ctime 1048017879, seq_number 449262226
cusec 642358, ctime 1048017879, seq_number 449642092
cusec 657983, ctime 1048017879, seq_number 449731565
cusec 767358, ctime 1048017879, seq_number 452922215
*cusec 829858, ctime 1048017879, seq_number 450993440
cusec 845483, ctime 1048017879, seq_number 451762662
*cusec 829858, ctime 1048017879, seq_number 451149585

The cusec times with an asterisk have identical cusec and ctime fields, and
are seen as a replay by MIT Kerberos, but are not actually replays, because
the sequence numbers are different.  MIT Kerberos seems to start seq_numbers
at zero, but MS starts at some arbitrary value.  Does Microsoft implement
replay detection differently than MIT Kerberos?  If so, which is the correct

Christopher Nebergall

More information about the krbdev mailing list