remove check that mech token matches first in the list

remove check that mech token the client has proactively put in the neg token init has the same OID as its first mech type preference. This is to work around behaviour by Windows based clients that are not following the strict wording of RFC4178. (#352)
jcmturner · Jan 14, 2020 · 8a3a3d7 · 8a3a3d7
1 parent 898f35f
commit 8a3a3d7
Showing 1 changed file with 0 additions and 4 deletions.
diff --git a/spnego/negotiationToken.go b/spnego/negotiationToken.go
@@ -169,10 +169,6 @@ func (n *NegTokenInit) Verify() (bool, gssapi.Status) {
 			return false, gssapi.Status{Code: gssapi.StatusDefectiveToken, Message: "MechToken is not a KRB5 token as expected"}
 		}
 	}
-	// RFC4178 states that the initial negotiation message can optionally contain the initial mechanism token for the preferred mechanism of the client.
-	if !mt.OID.Equal(n.MechTypes[0]) {
-		return false, gssapi.Status{Code: gssapi.StatusDefectiveToken, Message: "OID of MechToken does not match the first in the MechTypeList"}
-	}
 	// Verify the mechtoken
 	return n.mechToken.Verify()
 }