replay of service tickets

[Sorin Manolache]

Hello,

My apologies if it is not the right mailing list for asking this question.

I have a system consisting of an Authentication Server, a Backend and a 
Client.

The Client first invokes the Authentication Server.

The Authentication Server executes

gss_acquire_cred()
gss_init_sec_context()

As a result, it obtains a kerberos service ticket that it sends to the 
Client.

Next, the Client invokes the Backend and passes the obtained service ticket.

The Backend executes

gss_accept_sec_context().

The Client<->Authentication Server and Client<->Backend are HTTP. The 
Client is oblivious to the fact that the data item it receives/sends is 
a kerberos service ticket. For it it's just opaque data, so the Client 
uses no GSS/Kerberos stack.

Assuming that the service ticket expires in N seconds, may the Client 
perform several requests to the Backend using the same service ticket 
(that is without making new requests to the Authentication Server) 
during the N seconds until the ticket expiration?

I'm asking the question because I have two backends with two GSS stacks. 
The backend with the binary GSS stack of MIT accepts the ticket several 
times with no error. The second backend uses a Java GSS stack. It 
accepts the ticket once but if I attempt a second request with the same 
ticket then I get an exception indicating that I'm trying to replay the 
ticket which it does not accept. Apparently the Java stack "remembers" 
the ticket and rejects requests if it finds the ticket in its cache.

Which implementation obeys the standard? The Java one or the MIT GSS 
stack? Are both approaches correct and is it just a matter of 
configuring the two stacks?

Thank you in advance,
Sorin