Krb5 native and JGSS messages

Fredrik Tolf fredrik at
Mon Aug 21 21:25:42 EDT 2006

On Mon, 2006-08-21 at 18:29 -0400, Michael B Allen wrote:
> On Mon, 21 Aug 2006 21:48:30 +0200
> Fredrik Tolf <fredrik at> wrote:
> > So, I'm wondering, are the messages created by JGSS compatible with the
> > ones used by the native MIT API?
> Yes. There have been bugs in Java's Kerberos implementation but I'm not
> sure if there is anything outstanding. Otherwise, JGSS should be fully
> compatible with MIT, Heimdal, Microsoft, ...

Sorry, I guess I should rephrase myself. I didn't mean to ask whether
JGSS is compatible with MIT's, Heimdal's and Microsoft's GSSAPI
implementation (because I would find it very weird if it wasn't), but
rather whether the messages generated by GSSAPI (whether it be JGSS or
MIT's libgssapi_krb5) is compatible with the messages generated by the
"native" Krb5 API.

That is, if I generate an initial token with the
GSSContext.initSecContext method and send it to a server, will the
server be able to pass that token directly into krb5_rd_req and having
it be understood? I realize that the Kerberos protocol is standardized
in an RFC (although I don't remember which RFC right now), but I'm
guessing that it's possible that GSSAPI might add some encapsulation
data or something that would require pre-parsing, basically.

Thanks for your replies, Michael and Seema!

Fredrik Tolf

More information about the Kerberos mailing list