SPNEGO & IDP 3.2.1

Daniel Lutz daniel.lutz at switch.ch
Fri May 27 03:31:24 EDT 2016

Scott wrote:
> I do have this really vague memory of the SWITCH contingent mentioning a condition
> like this to me. Like maybe the code didn't handle that error case correctly initially
> and I needed to fix that, whereas I thought if the GSS loop completed that the name extract
> step would be guaranteed to work (which I still would think, so I don't understand the issue).
> I can't find anything in the archive on it, so it might have been off list.

We (SWITCH) could reproduce a similar case during testing back then, but we couldn't find
an explanation for the occurrence of the problem. (In the comment in the code mentioned
by Scott, "observed" refers to this test case).

The problem occurred when the client had a valid Kerberos ticket, but the
service for getting a "service ticket" was not available. Still, the browser
(Firefox) sent the ticket to the IdP, and the library processing the ticket
seemed to accept this ticket. To be on the safe side, the IdP considers
this situation as a failure.

Ken, please can you provide us with more information?

- Which web browser do you use?
  May you test with a different browser?
- Does the problem always occur, or from time to time only?
- Does the problem occur for any user?
- Do you use SPNEGO login with other web applications (especially
  non Microsoft ones), too, and it works there?


More information about the users mailing list