gss_accept_sec_context & rcache

Rainer Weikusat rainer.weikusat at
Tue May 30 05:18:47 EDT 2006

Jeffrey Hutzelman <jhutz at> writes:
> On Monday, May 29, 2006 01:05:47 PM +0200 Rainer Weikusat
> <rainer.weikusat at> wrote:
>> Is there a particular reason why gss_accept_sec_context
>> returns GSS_S_FAILURE/ KRB5_RC_REPLAY for duplicate
>> initiator tokens instead of GSS_S_DUPLICATE_TOKEN?
> Because GSS_S_DUPLICATE_TOKEN means that a duplicate per-message token
> was received when message replay detection is enabled.  It does not
> apply to context negotiation.

This is a quote from RFC1509, section 3.4:

	GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a
                        duplicate of a token already processed.  This
                        is a fatal error during context establishment.

The same text is contained in RFC2744 (and in both language
independent API specifications as well).

More information about the krbdev mailing list