microsoft xp gssapi client talking to solaris8 gssapi server

Sam Hartman hartmans at MIT.EDU
Sat Oct 5 14:25:56 EDT 2002


>>>>> "Tony" == Tony Hoyle <tmh at nodomain.org> writes:

    Tony> In the first case you're not using Active Directory, which
    Tony> kind of defeats the point.  
I am fairly sure you're misusing the term active directory here.  It's
certainly true that you're using an extra DLL or two, and you need to
have a krb5.ini, but you can use your Windows credentials and Windows KDCs.



    Tony> Plus KFW is not available
    Tony> outside the US, which is a pain as you have to build from
    Tony> the unix source tree (and if you intend to do anything
    Tony> commercial you've got export/license issues
    Tony> anyway... heimdal which is more unencumbered isn't yet
    Tony> ported to windows AFAIK).

Any export/license issues you'd have with the MIT codebase (and while
they do exist for comercial software, they do not seem prohibitive)
will also exist with Heimdal.

Note that for example Columbia University does export KFW as part of a
comercial product.  They did not interact with MIT at all for this
clearance; they simply went through the necessary steps to export
cryptographic software from the US.


    Tony> In the second case I've never heard of this dll (and I've
    Tony> been searching for two years for such a beast...  I ended up
    Tony> writing by own (which works OK for the one project I need it
    Tony> for)... there are parts of SSPI though that simply don't map
    Tony> to GSSAPI and you have to fudge the issue - 

The question was about maping GSSAPI onto SSPI, not SSPI onto GSSAPI.
It's certainly true that there are SSPI calls that have no GSSAPI
version.

ftp://ftp.sap.de/pub/ietf-work/




More information about the Kerberos mailing list