GSS_ACCEPT_SECURITY_CONTEXT
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Sep 27 12:41:40 EDT 2005
On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan, Sivakumar"
<Sivakumar_Balakrishnan at adp.com> wrote:
> I am trying to implement a custom Kerberos authentication for my IIS
> application using an ISAPI filter. I am expecting the
> gss_accept_security_context tor return me AP-REP if I passed a input
> token(contains AP-REQ) with mutual_authentication flag set in its
> AP-options. But in my program the gss_accept_security_context returns a
> GSS-S-Complete but when I parse the output token it just contains the
> Input principal and didn't contains a APP-REP.
It's unclear here whether the context token you're passing in is one you
got from another GSSAPI, or one you constructed yourself. The AP-REQ used
by the Kerberos GSSAPI mechanism uses a special "checksum" which contains
additional data used in negotiating the GSSAPI context (see RFC4121,
section 4.1.1, or RFC1964 section 1.1.1). Part of this data includes flag
bits indicating which GSSAPI-level options were requested by the
application. In order for mutual authentication to happen, the 0x02 bit in
these flags must be set.
At the GSSAPI level, the way to do this is to make sure that the
mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to
GSS_Init_sec_context().
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list