gss_init_sec_context error for spnego

Ken Raeburn raeburn at MIT.EDU
Mon Oct 20 17:16:47 EDT 2008

On Oct 20, 2008, at 16:57, Stephen Ince wrote:
> I think my hunch was correct, IIS is ignoring the req_flags.  
> Everything
> worked when I tested apache. The format of the token coming back  
> from IIS
> must be encrypted. I did an ethereal snoop and noticed that
> gss_init_sec_context fails and does not make any network calls.
> Is there a way I can check for the format of the IIS token from the  
> first
> gss_init_sec_context? I do not tell IIS to encrypt the token.

Right, gss_init_sec_context doesn't talk to the server.  It forms  
messages for you to send -- depending on your application protocol,  
perhaps base-64 encoded, perhaps with some wrapper text, etc -- and  
then (for the next call) you give it a message you got back from the  
server.  If you're using Kerberos, it *may* use the network to talk to  
the KDC, but if you already have local credentials, it may not need to.

As Tom indicated earlier, it's not really clear from your messages  
what you're doing -- whether the code you're working on is even on the  
client or server side and what software you're talking to.  Are you  
talking to Apache/IIS over the net with web client code you're  
modifying, or is your software plugging in to the server and getting  
contacted with IE?


More information about the krbdev mailing list