Krb5 native and JGSS messages

Jeffrey Altman jaltman2 at
Tue Aug 22 09:54:22 EDT 2006

Fredrik Tolf wrote:

> Sorry, I guess I should rephrase myself. I didn't mean to ask whether
> JGSS is compatible with MIT's, Heimdal's and Microsoft's GSSAPI
> implementation (because I would find it very weird if it wasn't), but
> rather whether the messages generated by GSSAPI (whether it be JGSS or
> MIT's libgssapi_krb5) is compatible with the messages generated by the
> "native" Krb5 API.

GSS tokens generated by a GSS client must be processed by a GSS server.
They are not identical to the KRB_AP_REQ and KRB_AP_REP messages used
by raw Kerberos 5.  You would need to implement the GSS Kerberos 5
mechanism in order to parse the GSS tokens to obtain the KRB_AP_REQ on
the GSS server and generate the appropriate response token to send to
your GSS client.

In other words, you need to either use raw Kerberos 5 on both peers or
GSS on both peers in order for it to work.

Jeffrey Altman

More information about the Kerberos mailing list