> So, you should have a look at what travels between the peers. Thanks, Rick, I looked into it, but my negotiate messages look like this:
"Negotiate YIID..." which I think means that they're kerberos messages? Anyone have any other ideas of what could be causing the continue_needed message then? Could it be something with the DNS, I'm not really that confident of my DNS setup, but don't really know what to look into to determine if it's properly set up? (Although I also have ignore_acceptor_hostname = true and I'm passing GSS_C_NO_CREDENTIAL to gss_accept_sec_context, so I'm not sure if that even matters?) I also noticed that if I switch the server back as it was before (with the keytab for the service principal of the Active Directory kdc, and the previous hostname, although with the krb5.conf still pointing at both realms) and then try and do a login when I have a ticket of one of the users from the new MIT realm it also gives me a continue_needed, so could it be something to do with the tickets themselves? I've noticed that the tickets 'renew until' time is already passed (but the tickets don't expire until 12 hrs in the future), but I'm not sure what to change to make the renew time longer, the krb5.conf on the client has renew_lifetime set as 7d... And in the kdc.conf on the kdc server the max_renewable_life is set as 5d... ? -- View this message in context: http://kerberos.996246.n3.nabble.com/GSS-S-CONTINUE-NEEDED-when-doing-Kerberos-authentication-tp45900p45912.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos