GSSAPI Kerberos mechanism

Richard Sharpe rsharpe at
Fri Sep 6 05:13:01 GMT 2002


I think that this document is close to defining the format of KRB5 
requests in GSSAPI/SPNEGO


It says that this is the format:

 InitialContextToken ::= 
           thisMech        MechType 
                   -- MechType is OBJECT IDENTIFIER 
                   -- representing "Kerberos V5" 
           innerContextToken ANY DEFINED BY thisMech
                   -- contents mechanism-specific;
                   -- ASN.1 usage within innerContextToken
                   -- is not required

and that:

 The innerContextToken consists of a 2-byte TOK_ID field (defined below), 
followed by the Kerberos V5 KRB-AS-REQ, KRB-AS-REP, KRB-TGS-REQ, or 
KRB-TGS-REP messages, as appropriate. The TOK_ID field shall be one of the 
following values, to denote that the message is either a request to the 
KDC or a response from the KDC.

Message         TOK_ID
   KRB-KDC-REQ      00 03
   KRB-KDC-REP      01 03

This is very close to what we see. The actual TOK_IDs seem to be:

   KRB-KDC-REQ  0x0001
   KRB-KDC-REP  0x0002
   KRB-ERROR    0x0003

Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at

More information about the samba-technical mailing list