Krb5 native and JGSS messages

Michael B Allen mba2000 at
Tue Aug 22 01:22:35 EDT 2006

On Tue, 22 Aug 2006 03:25:42 +0200
Fredrik Tolf <fredrik at> wrote:

> On Mon, 2006-08-21 at 18:29 -0400, Michael B Allen wrote:
> > On Mon, 21 Aug 2006 21:48:30 +0200
> > Fredrik Tolf <fredrik at> wrote:
> > 
> > > So, I'm wondering, are the messages created by JGSS compatible with the
> > > ones used by the native MIT API?
> > 
> > Yes. There have been bugs in Java's Kerberos implementation but I'm not
> > sure if there is anything outstanding. Otherwise, JGSS should be fully
> > compatible with MIT, Heimdal, Microsoft, ...
> Sorry, I guess I should rephrase myself. I didn't mean to ask whether
> JGSS is compatible with MIT's, Heimdal's and Microsoft's GSSAPI
> implementation (because I would find it very weird if it wasn't), but
> rather whether the messages generated by GSSAPI (whether it be JGSS or
> MIT's libgssapi_krb5) is compatible with the messages generated by the
> "native" Krb5 API.

GSSAPI doesn't really define a format of messages. The messages are
opaque blobs. It's up to the underlying authentication mechanism to
encode and decode the information required by the GSSAPI interface.
Actually GSSAPI might define that the tokens are prefixed with an

> That is, if I generate an initial token with the
> GSSContext.initSecContext method and send it to a server, will the
> server be able to pass that token directly into krb5_rd_req and having
> it be understood?

Hmm, I wouldn't rely on that. If you use GSSAPI on the client you should
use GSSAPI on the server. If you can't use GSSAPI on the server then
use raw Kerberos on the client. Otherwise you might need to strip that
OID I mentioned. Not sure. I would have to look into that but I have to
clean my fish tank :->


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list