client-side support for SASL/GSSAPI on windows?

Actually davidchr davespam at microsoft.com
Tue Apr 13 14:31:48 EDT 2004 

See below...

---
This message is provided "AS IS" with no warranties, and confers no
rights.
This message may originate from an unmonitored alias ("davespam") for
spam-reduction purposes.  Use "davidchr" for individual replies.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
This message originates in the State of Washington (USA), where
unsolicited commercial email is legally actionable (see
http://www.wa-state-resident.com).
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request.  I retaliate
viciously against spammers and spam sites.
 

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of 
> denis.havlik at t-mobile.at
> Sent: Tuesday, April 13, 2004 4:41 AM
> To: kerberos at mit.edu
> Subject: client-side support for SASL/GSSAPI on windows?
> 
> Hi, folks
> 
> I've tested the openLDAP+MIT kerberos+SASL/GSSAPI on Linux 
> (and I'm quite 
> happy with it), but I'll need the client-side support on the 
> windows side 
> as well. Anyone knows of some good online docs that explain 
> what has to be 
> done on the windows side?
> 
> For instance, there is apparently no stable SASL for windows 
> (http://asg.web.cmu.edu/cyrus/download/sasl/windows.html), so 
> what's used 
> for SASL/GSSAPI? :-)

There's native support for SASL in Windows, so the MSDN would be a good
place to start.  Jumping straight to the API reference, you could hit
this URL for starters:

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/securi
ty/security/saslinitializesecuritycontext.asp>

> 
> Closely related: I want to set up windows AD controller in 
> such a way that 
> the password for all users is checked against MIT kerberos KDC. 
> 
> Now, windows machines have a built-in support for kerberos, 
> and that's all 
> that's needed for login purpose. Do I still need to install 
> MIT kerberos 4 Windows on all the windows client machines, or not? 

You don't need MIT K4W on the workstations for this purpose (you might
need it if you have Win32 gssapi applications that aren't using SSPI,
but certainly not for logon).

Just establish a trust relationship between the two realms and ensure
that the client machines are aware of the MIT Realm.  Information on
this can be found at
<http://www.microsoft.com/windows2000/techinfo/planning/security/kerbste
ps.asp> -- although the link explicitly references win2k, the steps are
identical for XP and WS03.

> 
> thx
>         Denis
> --
> T-Mobile Austria GmbH,
> Information Technologies / Services
> Knowledge Management & Process Automation
> 
> Dr. Denis Havlik,                                   eMail: 
> denis.havlik at t-mobile.at
> Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237 
> A-1030 Vienna                                        Fax: 
> +43-1-79-585/6584
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list