gss_init_sec_context error for spnego
raeburn at MIT.EDU
Mon Oct 20 17:16:47 EDT 2008
On Oct 20, 2008, at 16:57, Stephen Ince wrote:
> I think my hunch was correct, IIS is ignoring the req_flags.
> worked when I tested apache. The format of the token coming back
> from IIS
> must be encrypted. I did an ethereal snoop and noticed that
> gss_init_sec_context fails and does not make any network calls.
> Is there a way I can check for the format of the IIS token from the
> gss_init_sec_context? I do not tell IIS to encrypt the token.
Right, gss_init_sec_context doesn't talk to the server. It forms
messages for you to send -- depending on your application protocol,
perhaps base-64 encoded, perhaps with some wrapper text, etc -- and
then (for the next call) you give it a message you got back from the
server. If you're using Kerberos, it *may* use the network to talk to
the KDC, but if you already have local credentials, it may not need to.
As Tom indicated earlier, it's not really clear from your messages
what you're doing -- whether the code you're working on is even on the
client or server side and what software you're talking to. Are you
talking to Apache/IIS over the net with web client code you're
modifying, or is your software plugging in to the server and getting
contacted with IE?
More information about the krbdev