Missing "ticket cache refresh" after ticket expired

Henning Horst horst.h at derooter.org
Thu Dec 9 12:07:30 EST 2010 

Hello,

First of all I would like to thank all people involved in the
development and support of MIT Kerberos! Thank you for providing such a
great product to the community!

I have already been using KfW for quite some time and now I have got an
issue related to Kerberos for Windows I haven't been able to narrow down
completely. I would be happy about any help.

The setup is as follows:
-------------------------------
We have a Windows application which uses a third party vendor library
(Eldos Secure BlackBox, dynamically linked) to do SSH. The SSH
functionallity includes GSSAPI authentication with Kerberos. The third
party library is addressed by our application via ActiveX and COM. The
third party library does the GSSAPI calls and the actual Kerberos stuff
is then provided by MIT Kerberos for Windows.


The issue we experience:
---------------------------------
The issue we experience is related to an expiring ticket. The issue
happens as follows:

1) Obtain a TGT
2) Do an SSH authentication with gssapi-with-mic
3) Outcome Successful

4) Ticket expires.
5) Try to do an SSH authentication with gssapi-with-mic
6) The Network Identity Manager comes up, asking for a password
7) Press cancel, the authentication fails [Everything as expected]

8) Obtain a new TGT in the Network Identity Manager
9) Try to do an SSH authentication with gssapi-with-mic

=> until now everything ok, but now:
10) The Network Identity Manager comes up asking for a password although
the correct TGT is in the cache [not the expected behavior]

So what I have found out is:

a) If I after 10) just press OK in the password dialog of the Kerberos
Network Identity Manager (without entering any password) the
authentication is successful.

or if I press cancel in 10) and

b) restart the application all subsequent authentications work again.


Until now I have not been able to reproduce this issue with the gss.exe
application. This always works as expected. The third party library
vendor claims that he does the same calls as in the gss-client.c code.
Since I have no possibility to look into the corresponding source code
(->closed source) I would be very happy about ideas from you (although
this is probably an problem in the third party library).

So:
-----
Does anyone have an idea what could be the reason for this behaviour? I
will be happy to provide a test application (how do I provide it best?
attach to email?) , if someone would like to have a look.


Thank you very much in advance,

Best Regards,

Henning

More information about the kfwdev mailing list