gss_init_sec_context error for spnego
since at opendemand.com
Wed Nov 5 09:42:07 EST 2008
I have been meaning to update this thread. This issue was IIS was returning
a NTLM token. Thanx for all the help.
----- Original Message -----
From: "Stephen Ince" <since at opendemand.com>
To: "Ken Raeburn" <raeburn at mit.edu>; <krbdev at mit.edu>
Sent: Monday, October 20, 2008 7:00 PM
Subject: Re: gss_init_sec_context error for spnego
> It is a http client. I am try to add kerberos negotiate(spnego) support
> for our http client. I am using mit kfw libraries on win32. I noticed that
> mozilla uses sspi on win32 but I don't think this is necessary. I just
> like to use one kerberos package.
> I have the authentication working for apache/mit KDC server, but not for
> IIS/AD server. Is it the AD that is messing up?
> req_flags= GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG|GSS_C_REPLAY_FLAG
> gss_init_sec_context // using the network
> //check the ret_flags, if the token from IIS will be encrypted?
> // use http to get to input token from IIS.
> int decode_len = apr_base64_decode_len(header);
> input_token.value = (char*)malloc(decode_len +1);
> input_token.length = apr_base64_decode(input_token.value,header);
> gss_init_sec_context // set the input_token, this fails for IIS but not
> // I get a "Message stream modified" error
> ----- Original Message -----
> From: "Ken Raeburn" <raeburn at MIT.EDU>
> To: "Stephen Ince" <since at opendemand.com>
> Cc: <krbdev at MIT.EDU>
> Sent: Monday, October 20, 2008 5:16 PM
> Subject: Re: gss_init_sec_context error for spnego
>> On Oct 20, 2008, at 16:57, Stephen Ince wrote:
>>> I think my hunch was correct, IIS is ignoring the req_flags. Everything
>>> worked when I tested apache. The format of the token coming back from
>>> must be encrypted. I did an ethereal snoop and noticed that
>>> gss_init_sec_context fails and does not make any network calls.
>>> Is there a way I can check for the format of the IIS token from the
>>> gss_init_sec_context? I do not tell IIS to encrypt the token.
>> Right, gss_init_sec_context doesn't talk to the server. It forms
>> messages for you to send -- depending on your application protocol,
>> perhaps base-64 encoded, perhaps with some wrapper text, etc -- and then
>> (for the next call) you give it a message you got back from the server.
>> If you're using Kerberos, it *may* use the network to talk to the KDC,
>> but if you already have local credentials, it may not need to.
>> As Tom indicated earlier, it's not really clear from your messages what
>> you're doing -- whether the code you're working on is even on the client
>> or server side and what software you're talking to. Are you talking to
>> Apache/IIS over the net with web client code you're modifying, or is
>> software plugging in to the server and getting contacted with IE?
> krbdev mailing list krbdev at mit.edu
More information about the krbdev