Your explanation compares apples with oranges. First, you are comparing two different versions of curl in which one is fundamentally broken. Second, you are comparing MIT Kerberos with Heimdal but your server (probably Tomcat) uses JGSS.

Everything before 7.38.0 is broken. Great effort has been put into 7.38.0 from me and others to make things right.

The issue you are observing is that pre 7.38.0 does not send a SPNEGO token. JGSS tells you that. I have answered this question already on Stack Overflow: http://stackoverflow.com/a/23760218/696632.

As far as I can see, this isn't a curl problem but a network setup problem.

---
** [bugs:#1495] HTTP SPNEGO authentication doesn't seem to work properly under Linux**
**Status:** open
**Labels:** SPNEGO Kerberos 
**Created:** Fri Mar 13, 2015 02:17 PM UTC by Gunnar Schulze
**Last Updated:** Fri Mar 13, 2015 02:17 PM UTC
**Owner:** nobody
### Description ###
HTTP SPNEGO authentication doesn't seem to work properly under Linux (Centos 6.6). However, the version that is shipped with MacOS X Yosemite works as expected.
#### Curl Version used on Mac OS X: ####
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz 
#### Curl Version used on CentOS (self-compiled) ####
curl 7.41.0 (x86_64-redhat-linux-gnu) libcurl/7.41.0 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets 
---
### Steps to reproduce ###
$ kinit principal_at_REALM
$ curl --negotiate -u : http://host.domain:8888/path/to/rest/api
#### Expected response ####
{
	// Some JSON output		
}
#### Actual response ####
HTTP ERROR 403
Problem accessing /path/to/rest/api. Reason: 
    GSSException: No credential found for: 1.3.6.1.5.2.5 usage: Accept
---
On both operating systems I am able to obtain a valid Kerberos Ticket, however, authentication fails on the Linux machine. What is probably worth mentioning is that the Mac OS X version is compiled against Heimdal Kerberos whereas the Linux version is built against the MIT implementation.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.