[37660] in Kerberos
Re: GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?
daemon@ATHENA.MIT.EDU (Rick van Rein)
Sat Aug 27 08:03:23 2016
Message-ID: <57C1816D.3030808@openfortress.nl>
Date: Sat, 27 Aug 2016 14:02:53 +0200
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: JSoet <jordan.soet@ca.ibm.com>
In-Reply-To: <1472239969078-45912.post@n3.nabble.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Jordan,
> I looked into it, but my negotiate messages look like this:
>
> "Negotiate YIID..." which I think means that they're kerberos messages?
You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI content which, at least in this early phase, is DER-encode. You should make a dump of the decoded binary content with a tool like "openssl asn1parse" with a few layout options or, for much more/better information, with my Python script on https://github.com/vanrein/hexio/blob/master/derdump
There will be a number of OIDs to signal content following; these you can lookup on duckduckgo.com. You should see a general offer packet providing the available mechanisms, followed by one that it takes a proactive guess it -- normally Kerberos.
If you're still confused, you could also try sending the output here.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
