gss_init_sec_context error for spnego

Stephen Ince since at opendemand.com
Mon Oct 20 20:00:36 EDT 2008 

Ken,
    It is a http client. I am try to add kerberos negotiate(spnego) support 
for our http client. I am using mit kfw libraries on win32. I noticed that 
mozilla uses sspi on win32 but I don't think this is necessary. I just would 
like to use one kerberos package.
I have the authentication working for apache/mit KDC server, but not for 
IIS/AD server. Is it the AD that is messing up?

req_flags=  GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG|GSS_C_REPLAY_FLAG
gss_init_sec_context // using the network
//check the ret_flags, if the token from IIS will be encrypted?
// use http to get to input token from IIS.

int decode_len = apr_base64_decode_len(header);
input_token.value = (char*)malloc(decode_len +1);
input_token.length = apr_base64_decode(input_token.value,header);

gss_init_sec_context // set the input_token, this fails for IIS but not for 
Apache
// I get a "Message stream modified" error


Steve


----- Original Message ----- 
From: "Ken Raeburn" <raeburn at MIT.EDU>
To: "Stephen Ince" <since at opendemand.com>
Cc: <krbdev at MIT.EDU>
Sent: Monday, October 20, 2008 5:16 PM
Subject: Re: gss_init_sec_context error for spnego


> On Oct 20, 2008, at 16:57, Stephen Ince wrote:
>> I think my hunch was correct, IIS is ignoring the req_flags.  Everything
>> worked when I tested apache. The format of the token coming back  from 
>> IIS
>> must be encrypted. I did an ethereal snoop and noticed that
>> gss_init_sec_context fails and does not make any network calls.
>> Is there a way I can check for the format of the IIS token from the 
>> first
>> gss_init_sec_context? I do not tell IIS to encrypt the token.
>
> Right, gss_init_sec_context doesn't talk to the server.  It forms 
> messages for you to send -- depending on your application protocol, 
> perhaps base-64 encoded, perhaps with some wrapper text, etc -- and  then 
> (for the next call) you give it a message you got back from the  server. 
> If you're using Kerberos, it *may* use the network to talk to  the KDC, 
> but if you already have local credentials, it may not need to.
>
> As Tom indicated earlier, it's not really clear from your messages  what 
> you're doing -- whether the code you're working on is even on the  client 
> or server side and what software you're talking to.  Are you  talking to 
> Apache/IIS over the net with web client code you're  modifying, or is your 
> software plugging in to the server and getting  contacted with IE?
>
> Ken
>

More information about the krbdev mailing list