GSS API and impersonate client in the server

Mattias Karlsson mattias.karlsson at
Thu Oct 14 11:04:00 EDT 2004


I'm about to kerberize our product and will use the gss api. When
analyzing the different components in our system I found that I need
to be able to impersonate the client in the server using the client
credentials. The reason for doing this is that the server needs to be
able to access Windows resources (registry) with client permissions.

How it works in the unkerberized client/server is that the client
sends it's Windows user and password to the server in the beginning of
the session. The server does a (WIN API) LogonUser and a
ImpersonateLoggedOnUser and can then act as the client in that thread.

I don't want to send user/password over the network but need to be
able to impersonate the client!

The Windows SSPI API provides functions like
InitializeSecurityContext, AcceptSecurityContext and
ImpersonateSecurityContext but I don't want to use SSPI since I got
some UNIX servers and clients as well. Is it possible to use the
delegated_cred_handle or context_handle I get from the gss api call
gss_accept_sec_context and use it (maybe cast it) in the
ImpersonateSecurityContext function? Or is there some other way to do
this? I assume I need to specify the GSS_C_DELEG_FLAG in the clients
gss_init_sec_context call, is there anything else that must be done?


More information about the Kerberos mailing list