On Tue Jul 27 15:00:53 2021, amandeepgautam5@gmail.com wrote:

Sending my response to wider audience as I forgot to add the main mailing list initially.

Although that's a good instinct for most public lists, it isn't necessary for this one. krb5-bugs@mit.edu is fed from the bug tracker and doesn't accept mail directly.

If you can add more details on (2), I will be happy to make the change and test it.

If mech_requires_mechlistMIC() returns true, we want to send a MIC (because some Windows servers erroneously require one) but not require receiving one (because apparently some Windows servers erroneously don't send one if they receive one). Unfortunately, this will require some pretty close attention to detail, as the code currently assumes symmetric MIC requirements. One option is to split the mec_reqd flag into separate send and receive flags, but then each piece of code that uses it has to be analyzed for which half to pay attention to. The other is to move the mech_requires_mechlistMIC() check to the code that decides whether to send a MIC; that, too requires, some pretty close attention to the state machine.

I can't really provide more guidance without doing the work myself. SPNEGO as specified is very complicated, and SPNEGO as badly implemented by other endpoints is more so.