Mutual Auth flag and TGS exchange behaviour

Arpit Srivastava arpit.orb at
Wed Oct 23 16:38:38 EDT 2013

Hi !

As per my understanding from reading of RFC, TGS exchanges happen
between client and KDC/TGS only. and Mutual Authentication is meant
for the purpose of authentication between client and service server.

But in my system, during TGS_REQ/REP, with MUTUAL-AUTH flag set in
gss_init_sec_context() routine call, there is some communication
between client and service-server as well. ( i.e. during service
ticket fetch, we have to contact Windows AD at port 88 as well as
Exchange Server at port 80).

However, If MUTUAL-AUTH is disabled in gss_init_sec_context() then
communication is only between KDC/TGS and client gets the service
ticket, but if MUTUAL-AUTH is enabled then communication is between
KDC/TGS, client and also between the client and the service server,
all three parties involved.

1. Is this behaviour specific to Windows Integrated Authentication
(SSPI Negotiate) or is it the correct behaviour of Kerberos protocol.

2. What is the purpose of client having to contact sevice-server
during TGS fetch ?

More information about the krbdev mailing list