Authenticating GSSAPI Client to SSPI Service

Peger, Daniel Heinrich dpeger at cosa.de
Fri Feb 9 02:43:49 EST 2007 

Hi,

> > I already tried to introduce a mapping of the kerberos user
principal
> > (test-user at KRBTEST.REALM.ORG) to a local user account (test-user)
but
> > this didn't help either. Is the group that test-user belongs to of
any
> > relevance?
> 
> No but you said you are using a Heimdal KDC so I'm curious about what
> "group" you're talking about since a Heimdal KDC doesn't support
groups
> that Windows would understand.

I thought perhaps Windows would deny a member of 'guests' to be
authenticated with a ticket. I don't use groups for the kerberos
principals but only for the 'test-user' account on my windows machine
that I map the principal to.

> It should work just fine. Make sure you have the latest ticket.
Otherwise
> get a packet capture paying particular attention to the the principal
> names being used.

My ASN.1 reading cababilities are very limited but the tickets look just
fine to me. Especially since exactly the same tickets are accepted by
the GSSAPI version of the service implementation... Is there something
about this SPN thing? Actually I'm doing somewhat strange here, since I
made my client and service apps talk to my kerberos test realm, with my
machine being in a different NT domain. As I mentioned before, just a
proof of concept.

Best Regards,
Daniel.
 
E-Mail Disclaimer 
 
Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene 
Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung 
reichen wir Ihnen gerne auf Anforderung in schriftlicher Form nach. 
Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, 
Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser 
E-Mail nicht gestattet ist. Diese Nachricht ist ausschliesslich fuer 
den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie 
nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, 
so bitten wir Sie, sich mit dem Absender der E-Mail in Verbindung zu setzen.


For legal and security reasons the information provided in this e-mail is not 
legally binding. Upon request we would be pleased to provide you with a legally 
binding confirmation in written form. Any form of unauthorised use, publication, 
reproduction, copying or disclosure of the content of this e-mail is not permitted. 
This message is exclusively for the person addressed or their representative. 
If you are not the intended recipient of this message and its contents, please 
notify the sender immediately.

More information about the Kerberos mailing list