3.2.5.2 NegTokenInit2 Variation for Server-Initiation

Standard GSS has a strict notion of client (initiator) and server (acceptor). If the client has not sent a negTokenInit ([RFC4178] section 4.2.1) message, no context establishment token is expected from the server.

The SPNEGO extension allows the server to generate a context establishment token message ( NegTokenInit2 section 2.2.1) and send it to the client when GSS_Accept_sec_context() is called without an input_token.

The server generates a NegTokenInit2 message that includes the OIDs of the security protocols that are present and available on the server in the mechTypes field.

In the negHints field, the server places the string "not_defined_in_RFC4178@please_ignore", expressed as ANSI encoding, as specified in [ISO/IEC-8859-1], in the hintName field. For more information about how the hintName field is populated, see section 2.2.1.

The hintAddress field MUST be omitted and not transmitted. The NegTokenInit2 token is then passed to the client within the application protocol. When encoding the name, the configured locale on the computer SHOULD be used for the resulting character set.