Using GSSAPI to talk to a Windows SSPI server.

Jeffrey Altman jaltman2 at nyc.rr.com
Tue Jan 13 10:49:32 EST 2004 

If you are using MIT Kerberos for Windows 2.5 on a Windows workstation
which is part of a Windows AD Domain, then the Leash ticket manager
(when executed) will automatically import tickets from the Microsoft
Kerberos LSA credentials cache into the MIT Kerberos credentials cache
for use by applications using the MIT Kerberos API.

Under Options->Leash Configuration ... there is a check box for create
missing configuration files.  If there are no configuration files when
Leash is run the first time, then Leash will autoconstruct them using
information found in the Windows registry.  The KRB5.INI (aka krb5.conf)
may be necessary depending on your realm configuration.

Since Microsoft does not support Kerberos 4, you might want to also
disable the Kerberos 4 support in Leash from the same configuration page.

In KfW 2.6 (soon to enter beta test) you could use the Options->
Kerberos V5 Properties ... dialog to set the Ticket File to

    "MSLSA:"

Doing so would instruct the MIT Kerberos APIs to obtain tickets using
the Microsoft Kerberos LSA credentials cache without importing.

Of course, if you are working on a Microsoft Windows workstation
which is not part of an AD Domain then you do not have a Kerberos
realm yet.

Jeffrey Altman
KFW Maintainer

Kevin Burton wrote:

> I am using the SSPI workbench (Keith Brown) in "server" mode listening at
> port 4242. I am using the MIT distribution of Kerberos and compiled the
> source for Windows. There is a program in that distribution called gss. This
> program has a single text box entry of the form
> 
> machine port principal
> 
> I enter
> 
> localhost 4242 kburton at ppc.com
> 
> The program 'gss' seems to get through the gss_import_name without error,
> but in gss_init_sec_context I get two errors resulting from the min_stat and
> maj_stat return codes. The first is 'GSS_API error initializing context:
> Miscellaneous failure'. The second is 'GSS-API error initializing context:
> No credentials cache found'. My question is, how do I establish a credential
> cache? The routine kinit indicates that it could not find the KDC. The
> application klist also indicates that there is no credential cache. What
> configuration step did I miss? This is for a Windows platform. I am mainly
> doing this as a proof of concept as the final 'client' will reside on a
> non-Windows platform (probably Linux) and will use Kerberos GSSAPI to log
> into a Windows server using SSPI on the Windows server.
> 
> Thank you for your help.
> 
> Kevin Burton
> rkevinburton at charter.net
> kburton at visa.com
> 
>

More information about the Kerberos mailing list