gss_init_sec_context() failed: : Ccache function not supported:

[Jeffrey Altman]

peter huang wrote:

> I'm glad more was asked about this subject, I gained more understanding of 
> how this should work.  In this case, the gss_init_sec_context failed trying 
> to get a cross-realm tgt using MSLSA ccache but has no problem if I used 
> API:krb5cc ccache.  the realm info is more explict in krb5.ini but I did not 
> use ksetup to identify additonal realms (I did add the trust relationship 
> with AD DC).
> -peter huang

If you want to be able to use MSLSA, then you must configure the realms
using KSETUP.EXE.

When you are using the MSLSA, you are essentially asking to obtain
tickets using the Microsoft Kerberos implementation not the MIT Kerberos
implementation.  If a ticket cannot be obtained via the Microsoft
Kerberos implementation (due to mis-configuration), the MIT Kerberos
libraries will obtain the ticket but will not be able to write it back
to the LSA cache.

If you would like to have this functionality, please contact Microsoft
and make a request that they provide it.  The MIT Kerberos team and
several other parties have also made such as request.  Perhaps as one
of Microsoft's largest OEMs, HP will have the influence to convince them
to open the LSA cache so that third party libraries such as MIT KFW can
store tickets.

If you choose to file such a request, be sure to explain to them why the
Microsoft Kerberos implementation cannot obtain tickets in your
cross-realm environment.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu