Thanks for the help, when I looked at the output, it contained mech 1.3.6.1.5.2.5 which I guess is GSS_IAKERB_MECHANISM ... Looking into that I think I had a somewhat similar problem to this: http://stackoverflow.com/questions/23759016/spnego-kerberos-no-credential-found-error-with-requests-from-linux-client
But it wasn't a problem with my reverse dns - that was set up properly, but the problem was some errant capitalization of the service principal in the kdc database. When I looked at the wireshark output I saw that it was the TGS-REQ was failing with an "UNKNOWN_SERVER" error, and looking into that a bit more I realized I had a problem with the name. When using AD I had had a SPN with CamelCase and that hadn't caused a problem, but with the MIT KDC it did, which was a stupid problem that I should've figured out. Thanks for your help :) Thanks, Jordan Weitman-Soet Safer Payments Software Developer Phone: 1-778-327-7338 | Tie-Line: 3177338 | Mobile: 1-778-867-5683 E-mail: jordan.s...@ca.ibm.com 1190 Homer St Suite 401 Vancouver, BC V6B 2X6 Canada From: Rick van Rein <r...@openfortress.nl> To: Jordan Soet/CanWest/IBM@IBMCA Cc: kerberos@mit.edu Date: 08/27/2016 05:03 AM Subject: Re: GSS_S_CONTINUE_NEEDED when doing Kerberos authentication? Hi Jordan, > I looked into it, but my negotiate messages look like this: > > "Negotiate YIID..." which I think means that they're kerberos messages? You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI content which, at least in this early phase, is DER-encode. You should make a dump of the decoded binary content with a tool like "openssl asn1parse" with a few layout options or, for much more/better information, with my Python script on https://github.com/vanrein/hexio/blob/master/derdump There will be a number of OIDs to signal content following; these you can lookup on duckduckgo.com. You should see a general offer packet providing the available mechanisms, followed by one that it takes a proactive guess it -- normally Kerberos. If you're still confused, you could also try sending the output here. -Rick
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
