Simo Sorce

So what you are saying is that decryption is returning the actual ciphertext instead of the expected plaintext ? It is not entirely clear to me what problem you are...

Do you have any debug log from the failures?

On a 401 the client should re-attempt authentication and get a new cookie, not sure why that would not be working. Adding an expiration on the cookie can probably be...

Ideally you have a session key has a shorter expiration than credentials, when using sessions the client will just try to send a session cookie, however upon receiving a 401...

I think 401 with Negotiate header is the regular way to ask a client to authenticate, why is the client not trying is the question ...

If mod_auth_gssapi sees that the creds expiration has been reached in mag_check_session() then it will not proceed to the application at all and will return a 401 negotiate. However if...

Perhaps I need to cross check the cache liftime with the lifetime claimed in the cookie. I expect there may be cases when the client can get confused and send...

Ah but I thik I know how something like that can happen now that I think about your situation. Are you, by chance, sharing the same krb principal among multiple...

The expiration is one of the data points in the encrypted part (MagBearerToken). Can you detail better how you reproduced? What have you changed, and where? Are you preforming constrained...

Ok, it seems to me the problem is that you have a shorter ticket_lifetime on the server than on clients, therefore when the server take a delegated ticket it will...