Do multiple token exchanges ever happen?
Shawn M Emery
Shawn.Emery at sun.com
Thu Dec 17 16:26:00 EST 2009
Nicolas Williams wrote:
> On Thu, Dec 17, 2009 at 03:49:01PM -0500, Greg Hudson wrote:
>
>> On Thu, 2009-12-17 at 15:27 -0500, Matthew M. DeLoera wrote:
>>
>>> I do recall seeing it when playing around with NTLM and SSPI once upon a
>>> time. How about with Kerberos-only?
>>>
>> It may happen with SPNEGO and krb5, though I'm not certain.
>>
>> It can definitely happen with IAKERB and krb5, but that feature won't be
>> in MIT krb5 until 1.9.
>>
>> For a basic krb5 exchange, I believe gss_init_sec_context will return
>> GSS_S_CONTINUE_NEEDED for mutual authentication, but that's still only
>> one token exchange from each side.
>>
>
> One could also see it happening with user-to-user auth.
In Windows using SPNEGO; continue needed is used in cases when acceptors
send error tokens (viz Kerberos) back to initiators. The security
context should be preserved by the application, with the expectation
that a second request is sent by the initiator w/o encapsulating the GSS
frame.
--
Shawn.
More information about the krbdev
mailing list