2016-10-26 15:10:29 |
Mark Donnelly |
description |
When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:
-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
-----------------------------------------------------------------------------------------------
(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)
It would be great to have an error message that says something more like:
-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
----------------------------------------------------------------------------------------------- |
When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:
---------------------------------------------------------------------------------# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
---------------------------------------------------------------------------------
(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)
It would be great to have an error message that says something more like:
---------------------------------------------------------------------------------# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
--------------------------------------------------------------------------------- |
|