Do multiple token exchanges ever happen?

Greg Hudson ghudson at MIT.EDU
Thu Dec 17 15:49:01 EST 2009

On Thu, 2009-12-17 at 15:27 -0500, Matthew M. DeLoera wrote:
> I do recall seeing it when playing around with NTLM and SSPI once upon a 
> time. How about with Kerberos-only?

It may happen with SPNEGO and krb5, though I'm not certain.

It can definitely happen with IAKERB and krb5, but that feature won't be
in MIT krb5 until 1.9.

For a basic krb5 exchange, I believe gss_init_sec_context will return
GSS_S_CONTINUE_NEEDED for mutual authentication, but that's still only
one token exchange from each side.

More information about the krbdev mailing list