Interoperate with incomplete SPNEGO responses We have found at least one HTTP/Negotiate implementation in Java that does not set anything but the responseToken field in the first SPNEGO acceptor response token. This is technically a violation of RFC 4178 section 4.2.2, but it is harmless to support; we know the mechanism we were trying to negotiate, and can use that mechanism to process the token. These implementations are probably not supporting any real negotiation, as the missing negState precludes any mechanism negotiation on failure. If a supportedMech is included that differs from the opportunistic one but no negState is provided, init_ctx_reselect() will fail with GSS_S_DEFECIVE_TOKEN as it should. [ghudson@mit.edu: edit comments and commit message] https://github.com/krb5/krb5/commit/da748e7621ad20237f105eb1167832d4898fde66 Author: Simo Sorce Committer: Greg Hudson Commit: da748e7621ad20237f105eb1167832d4898fde66 Branch: master src/lib/gssapi/spnego/spnego_mech.c | 21 +++++++++------------ 1 files changed, 9 insertions(+), 12 deletions(-)