Mutual authentication and delegation
David Lawler Christiansen (NT)
DAVIDCHR at windows.microsoft.com
Fri Mar 8 17:04:39 EST 2002
This is mentioned briefly in the third paragraph of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/
ad/about_mutual_authentication_using_kerberos.asp
Put simply, delegating to a server is a dangerous business. We require
MUTUAL_AUTH to ensure that you're really delegating to the correct,
intended entity.
-----
This message or posting is provided "AS IS" with no warranties, and
confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request. I retaliate
viciously against spammers and spam sites.
> -----Original Message-----
> From: Brian Krings [mailto:krings at us.ibm.com]
> Sent: Friday, March 08, 2002 12:05 PM
> To: kerberos at mit.edu
> Subject: Mutual authentication and delegation
>
>
> I have a question about mutual authentication and delegation.
> I have an application where I would like to delegate
> credentials. I do not currently do mutual authentication.
> Using Windows 2000 as my KDC, I cannot get delegated
> credentials unless I also pass the mutual authentication flag
> to the SSPI InitializeSecurityContext. I don't see any
> documentation from Microsoft or in the RFC's that would force
> this. Does Microsoft have a bug? I do not have to request
> mutual authentication if my client is a non-Windows machine
> (using GSSAPI).
>
> Thanks in advance for any/all responses.
> Brian
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list