Using GSSAPI to talk to a Windows SSPI server.

Tue Jan 13 14:20:46 EST 2004

The only reason that I need to rebuild from source is I need the
libraries and include files for Windows so that I can build the windows
test programs specifically 'gss'. If you have those available maybe I
could avoid this build problem.

Thanks again.

Kevin Burton
rkevinburton at charter.net

-----Original Message-----
From: Kevin Burton [mailto:rkevinburton at charter.net] 
Sent: Tuesday, January 13, 2004 1:07 PM
To: 'Jeffrey Altman'; 'kerberos at mit.edu'
Subject: RE: Using GSSAPI to talk to a Windows SSPI server.

I tried to build the kfw-2.5 from source using Visual Studio .NET 2003
and I get the following build errors:

[04/01/13 12:57:21]
g:\kburton\kfw-2.5\src\athena\auth\krbcc\src\CCacheLib\Sources\Headers\C
CIUniqueGlobally.h(82) : warning C4346: 'CCIUniqueGlobally<T>::UniqueID'
: dependent name is not a type
[04/01/13 12:57:21]         prefix with 'typename' to indicate a type
[04/01/13 12:57:21]
g:\kburton\kfw-2.5\src\athena\auth\krbcc\src\CCacheLib\Sources\Headers\C
CIUniqueGlobally.h(82) : error C2072: 'CCIUniqueGlobally<T>::Resolve' :
initialization of a function
[04/01/13 12:57:21]
g:\kburton\kfw-2.5\src\athena\auth\krbcc\src\CCacheLib\Sources\Headers\C
CIUniqueGlobally.h(82) : fatal error C1903: unable to recover from
previous error(s); stopping compilation
[04/01/13 12:57:22] NMAKE : fatal error U1077: 'cl' : return code '0x2'
[04/01/13 12:57:22] Stop.

Kevin Burton
rkevinburton at charter.net

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman2 at nyc.rr.com] 
Sent: Tuesday, January 13, 2004 9:50 AM
To: Kevin Burton; kerberos at mit.edu
Subject: Re: Using GSSAPI to talk to a Windows SSPI server.

If you are using MIT Kerberos for Windows 2.5 on a Windows workstation
which is part of a Windows AD Domain, then the Leash ticket manager
(when executed) will automatically import tickets from the Microsoft
Kerberos LSA credentials cache into the MIT Kerberos credentials cache
for use by applications using the MIT Kerberos API.

Under Options->Leash Configuration ... there is a check box for create
missing configuration files.  If there are no configuration files when
Leash is run the first time, then Leash will autoconstruct them using
information found in the Windows registry.  The KRB5.INI (aka krb5.conf)
may be necessary depending on your realm configuration.

Since Microsoft does not support Kerberos 4, you might want to also
disable the Kerberos 4 support in Leash from the same configuration
page.

In KfW 2.6 (soon to enter beta test) you could use the Options->
Kerberos V5 Properties ... dialog to set the Ticket File to

    "MSLSA:"

Doing so would instruct the MIT Kerberos APIs to obtain tickets using
the Microsoft Kerberos LSA credentials cache without importing.

Of course, if you are working on a Microsoft Windows workstation
which is not part of an AD Domain then you do not have a Kerberos
realm yet.

Jeffrey Altman
KFW Maintainer

Kevin Burton wrote:

> I am using the SSPI workbench (Keith Brown) in "server" mode listening
at
> port 4242. I am using the MIT distribution of Kerberos and compiled
the
> source for Windows. There is a program in that distribution called
gss. This
> program has a single text box entry of the form
> 
> machine port principal
> 
> I enter
> 
> localhost 4242 kburton at ppc.com
> 
> The program 'gss' seems to get through the gss_import_name without
error,
> but in gss_init_sec_context I get two errors resulting from the
min_stat and
> maj_stat return codes. The first is 'GSS_API error initializing
context:
> Miscellaneous failure'. The second is 'GSS-API error initializing
context:
> No credentials cache found'. My question is, how do I establish a
credential
> cache? The routine kinit indicates that it could not find the KDC. The
> application klist also indicates that there is no credential cache.
What
> configuration step did I miss? This is for a Windows platform. I am
mainly
> doing this as a proof of concept as the final 'client' will reside on
a
> non-Windows platform (probably Linux) and will use Kerberos GSSAPI to
log
> into a Windows server using SSPI on the Windows server.
> 
> Thank you for your help.
> 
> Kevin Burton
> rkevinburton at charter.net
> kburton at visa.com
> 
> 