gss_init_sec_context error for spnego

Stephen Ince since at
Wed Nov 5 09:42:07 EST 2008

I have been meaning to update this thread. This issue was IIS was returning 
a NTLM token.  Thanx for all the help.

----- Original Message ----- 
From: "Stephen Ince" <since at>
To: "Ken Raeburn" <raeburn at>; <krbdev at>
Sent: Monday, October 20, 2008 7:00 PM
Subject: Re: gss_init_sec_context error for spnego

> Ken,
>    It is a http client. I am try to add kerberos negotiate(spnego) support
> for our http client. I am using mit kfw libraries on win32. I noticed that
> mozilla uses sspi on win32 but I don't think this is necessary. I just 
> would
> like to use one kerberos package.
> I have the authentication working for apache/mit KDC server, but not for
> IIS/AD server. Is it the AD that is messing up?
> gss_init_sec_context // using the network
> //check the ret_flags, if the token from IIS will be encrypted?
> // use http to get to input token from IIS.
> int decode_len = apr_base64_decode_len(header);
> input_token.value = (char*)malloc(decode_len +1);
> input_token.length = apr_base64_decode(input_token.value,header);
> gss_init_sec_context // set the input_token, this fails for IIS but not 
> for
> Apache
> // I get a "Message stream modified" error
> Steve
> ----- Original Message ----- 
> From: "Ken Raeburn" <raeburn at MIT.EDU>
> To: "Stephen Ince" <since at>
> Cc: <krbdev at MIT.EDU>
> Sent: Monday, October 20, 2008 5:16 PM
> Subject: Re: gss_init_sec_context error for spnego
>> On Oct 20, 2008, at 16:57, Stephen Ince wrote:
>>> I think my hunch was correct, IIS is ignoring the req_flags.  Everything
>>> worked when I tested apache. The format of the token coming back  from
>>> IIS
>>> must be encrypted. I did an ethereal snoop and noticed that
>>> gss_init_sec_context fails and does not make any network calls.
>>> Is there a way I can check for the format of the IIS token from the
>>> first
>>> gss_init_sec_context? I do not tell IIS to encrypt the token.
>> Right, gss_init_sec_context doesn't talk to the server.  It forms
>> messages for you to send -- depending on your application protocol,
>> perhaps base-64 encoded, perhaps with some wrapper text, etc -- and  then
>> (for the next call) you give it a message you got back from the  server.
>> If you're using Kerberos, it *may* use the network to talk to  the KDC,
>> but if you already have local credentials, it may not need to.
>> As Tom indicated earlier, it's not really clear from your messages  what
>> you're doing -- whether the code you're working on is even on the  client
>> or server side and what software you're talking to.  Are you  talking to
>> Apache/IIS over the net with web client code you're  modifying, or is 
>> your
>> software plugging in to the server and getting  contacted with IE?
>> Ken
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list