When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:
-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
-----------------------------------------------------------------------------------------------
(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)
It would be great to have an error message that says something more like:
-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
-----------------------------------------------------------------------------------------------
When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:
------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---- 5.5.15. 1.1.17 localhost gss@localhost "hi" ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ----
# gss-client -mech 1.3.6.1.
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
-------
(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)
It would be great to have an error message that says something more like: ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---- 5.5.15. 1.1.17 localhost gss@localhost "hi" ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ----
-------
# gss-client -mech 1.3.6.1.
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
-------