<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2656.13">
<TITLE>Microsoft Referral Code for Clients</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">I am looking into implementing the MS referral code for clients. The server side referral code already exists in a patch available from the University of Michigan. The client code would allow clients to be ignorant of all trust relationships. The would then just ask the local kdc for all service principals. The kdc depending on the domain name of the service principal will return a cross-realm tgt to the next server in the referral path, as determined by the config file.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I have found that I can change the function krb5_get_cred_from_kdc_opt function to do the following:</FONT>
<BR><FONT SIZE=2 FACE="Arial">- copy the in_cred structure (the principal in_cred->server will be service_principal@localrealm all service principals are considered in the local realm)</FONT></P>
<P><FONT SIZE=2 FACE="Arial">- get a local tgt</FONT>
<BR><FONT SIZE=2 FACE="Arial">- call krb5_get_cred_via_tkt given the local tgt and in_cred</FONT>
<BR><FONT SIZE=2 FACE="Arial">- if I receive a service ticket I am done. If not, then I will receive a cross realm tgt. Change the realm of copy in_cred->server to be the foreign of the returned tgt.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">- call krb5_get_cred_via_tkt again. Repeat until I have the service ticket.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">The problem I have realized is that the principal in_cred->service will be service_principal@localrealm and the principal out_cred->service will be service_principal@foreignrealm. Does this matter? GSSAPI doesn't seem to care. Do developers who use the native Kerberos code usually make sure that in_cred->server matches out_cred->server ?</FONT></P>
<BR>
<P><FONT COLOR="#000000" SIZE=2 FACE="Arial">--------------------------------------</FONT>
<BR><FONT COLOR="#000000" SIZE=2 FACE="Arial">Daniel Wachdorf</FONT>
<BR><FONT COLOR="#000000" SIZE=2 FACE="Arial">drwachd@sandia.gov</FONT>
<BR><FONT COLOR="#000000" SIZE=2 FACE="Arial">Sandia National Laboratories</FONT>
<BR><FONT COLOR="#000000" SIZE=2 FACE="Arial">System Security Research and Integration</FONT>
<BR><FONT COLOR="#000000" SIZE=2 FACE="Arial">505-284-8060</FONT>
</P>
<BR>
<BR>
</BODY>
</HTML>