Forwarded credentials are cached and reused on Mac - is it acceptable?

Srinivas Cheruku srinivas.cheruku at
Tue Feb 4 08:04:39 EST 2014

Hi All,


I was using Chrome/Safari browser on Mac to authenticate the user using HTTP
Negotiate and found that the user is able to authenticate successfully and
able to forward his credentials to the web server in the first attempt.


After 5 minutes, if I try again I found that the authentication fails. 


On the Web Server (using Kerberos libraries built as per RFC 4120), I found
that the gss_accept_sec_context() failed because the KRB_CRED message was
created 5 minutes back and was not fresh.


According to RFC 4120, the KRB_CRED structure contains timestamp to make
sure the forwarded credentials are retrieved from KDC whenever needed and


   timestamp and usec

      These fields specify the time that the KRB-CRED message was

      generated.  The time is used to provide assurance that the message

      is fresh.



I understand that Mac OSX 10.9 is using Kerberos based on Heimdal code, and
I found the code
nit_sec_context.c?txt) in do_delegation() as follows:


     * First check for forward credentials in the cache instead of
     * going out to the network (expensive).
    kret = krb5_cc_get_config(context, ccache,
                             name, "gss-forward-cache", fwd_data);
    if (kret) {
        kret = krb5_get_forwarded_creds(context,



As you can see the forwarded credentials are acquired once and stored in
cache and reused instead of getting them from KDC. As per RFC, code on Web
Server is checking the timestamp in KRB_CRED message and failing due to the
fact that the browser on Mac is sending the same KRB_CRED message each time,
with same time stamp. I need to run kinit to get the TGT again (and not use
the existing credentials) so that the browser on Mac authenticates
successfully when Web server is accessed later.


The user is able to authenticate and forward the credentials when Mozilla on
Redhat is used (which is using MIT Kerberos) and we found that the forwarded
credentials are requested every time as per RFC. As the forwarded
credentials are not cached and the KRB_CRED message is fresh, the
gss_accept_context() on Web Server is able to accept the context


Does anybody know how to make Mac OSX work better with HTTP Negotiate
protocol ?


Do you think it is acceptable to reuse the forwarded credentials?




More information about the krbdev mailing list