Kerbrizing a windows process using SPNEGO

Eitan noyasoft at netvision.net.il
Wed Sep 21 11:25:23 EDT 2005


Hi,

After a tedious trial and error process I was able to create the
following environment:

PC-X: Running windows 2003 (active directory mode) domain name is:
R2D2.myhost.com
PC-Y: Running XP that is a member in the active directory
PC-Z: Not a member in the domain. Running visual studio. (have the MIT
Kerberos API is installed)

Now.
After I got Microsofts open source for SPNEGO parsing,
I've created a simple web server that listens on port 80 when it
receives an HTTP request it parses the header does uudecode for the
Authorization data and passes the binary buffer to the SPNEGO API.

When tested with a browser running on PC-Y it seem to pass an SPNEGO
token (and not NTLM.). The SPNEGO API returned a success.
So I guess so fat so good..

The next steps:
On the active directory I've created a user (kerbuser) for the remote
service and gave it an SPN using those commands
SETSPN -A host/r2d2.myhost.com kerbuser
SETSPN -A HTTP/r2d2.myhost.com kerbuser
the next step was:

ktpass -princ host/myhost.r2d2..com at R2D2.MYHOST.COM -pass XXX -mapuser
r2d2\kerbuser -out host.keytab

ktpass -princ HTTP/myhost.r2d2.intel.com at R2D2.MYHOST.COM -pass XXX
-mapuser r2d2\kerbuser -out HTTP.keytab

Now I had the keytab files, so far things went totally groovy!

This is where the problem starts:
=================================
What's next?
in the SPNEGO source it says .."call gss_accept_sec_context()"
and so I did but all I got was an error from "gss_acquire_cred()"

How can I enable SPNEGO on my mini web server?
Help me please ..

Eitan



More information about the Kerberos mailing list