Is it required to use GSSAPI code for the Kerberos Server Auth?

Douglas E. Engert deengert at
Fri Mar 24 10:23:35 EST 2006

Surendra Babu A wrote:

> Hi Douglas,
> Thanks a lot for the response. Following are my inputs.
> POINT#1:
> Server Authentication means, Mutual Authentication. Sorry for the confusion.
> So for Mutual Authentication with the Server (AP_REQ and AP_REP to be done).
> We have formed the AS_REQ, AS_REP, TGS+REQ and TGS_REP packets on our own
> wby using Krb5 code with out using the GSSPI.
> While sending the AP_REQ packet to SMTP server, should we add GSSAPI
> information? Basically, I am sending the
> - Service ticket and
> - Authenticatior information in the AP_REQ packet. With this information,
> the SMT server is saying, unknown data?
> Is it required to add some GSSAPI header information to the AP_REQ packet?
> What GSSAPI should I use to make the correct AS_REQ packet?

Are you trying to write your own Kerberos implementation? Or
are you using MIT, Heimdal or some other version?

Have you read all the Kerberos RFCs and the GSSAPI RFCs?

I still can't not understand why you feel you have to program at the
Kerberos level, rather then the GSSAPI. The GSSAPI is designed to handle
all these problems you are having.  If you want mutual authentication
with GSSAPI, on the gss_init_sec_context you would add the GSS_C_MUTUAL_FLAG
flag and the GSSPAI would take care of it for you.

All the Kerberos implementation come with GSSAPI, and on some systems
like Solaris 10, the underlying Kerberos is not exposed,only the GSSAPI.
On Windows the Microsoft SSPI can interoperate with GSSAPI Kerberos
on other systems.
There are also gssapi examples with the different implementation.

Are you starting with some application that that already does
Kerberos, rather then GSSAPI? Have you done a Google for smtp gssapi?

Looks like you need SASL too.

> POINT#2:
> =======
> If we use GSSAPI code, everything will be taken by that. All  *_REQ and _REP
> packets will be sent and processed. Can't we plugin our processed AS_REQ,
> AS_REP, TGS_REQ and TGS_REP packets in to that?

The AS, and TGS messages are between the client and the KDC. GSSAPI deals
with the client to the server, and will be doing all the AP_* type
messages for you.

With Keeberos GSS, you will still have toi have done a kinit to get
the initial TGT, wihc isthen saved in a ticket cache. So if you
used something other the kinit to do the AS_* processing put them
in a ticket cache.

The gss_acquire_cred is then called. With the Kerberos GSSPAI implementation
will look for the ticket cache and will obtain additonal tickets for you
using the TGS_* messages  and the original TGT.

> - we are facing probelm in forming the AP_REQ packet for MUTUAL
> AUTHENTICTAION with the Server.
> Any thoughts on the same?

> Thanks a lot in advance,
> -Surendra
>   ----- Original Message ----- 
>   From: Douglas E. Engert
>   To: Surendra Babu A
>   Cc: kerberos at
>   Sent: Thursday, March 23, 2006 8:14 PM
>   Subject: Re: Is it required to use GSSAPI code for the Kerberos Server
> Auth?
>   Surendra Babu A wrote:
>   >   Hi Team,
>   >
>   >   Could you please let me know your thoughts on the below mentioned
> issue.
>   >
>   >   Point #1
>   >   ----------
>   >   I am working on SA (Server Authentication) feature of Kerberos.
>   What do you mean by SA (Server Authentication) feature of Kerberos?
>   >   - Is it required to port GSSAPI code for this feature of SA?
>   Use GSSAPI everywhere you can. Id you do,you will not have to
>   deal with any of the Kerberos *_REQ or *_REP packets, as the
>   Kerberos GSSAPI does this for you.
>   >   - If so, where should I use this mechansim in kerberos client code?
> That
>   > means, between TGS_REP and AP_REQ?
>   >   - What is the exact procedure to use the GSSAPI code?
>   >
>   >   I am using MIT code and Linux Serevr (sendmail server, SMTP as the
>   > Application server, ie I need to do server authenticatio for that SMTP
>   > server.
>   >
>   Google for   smtp gssapi
>   to find SMPT examples
>   >   POINT#2:
>   >   ----------
>   >   I tried by sending AP_REQ to SMTP server successfuly but I could not
>   > recevice the AP_REP successfuly. I think AP_REQ packet is not properly
>   > understood by SMTP server since I have not been using the GSSAPI code in
> my
>   > implementation. So should I port the GSSAPI code in to my code base and
> do
>   > SA??
>   >
>   Use the GSSPAI...
>   >   POINT#3:
>   >   ======
>   >   - Is the following statement reight?
>   >   Kerberos Server Authentication is not supported by Windows 2003/2000
>   > exchange SMTP server.
>   What do you mean by Kerberos Server Authenticaion?
>   >   Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.
>   >
>   >   Is this statement true????
>   >
>   >   Could you please throw some light on the same?
>   >
>   >   Thank you,
>   >   -Surendra
>   >
>   -- 
>     Douglas E. Engert  <DEEngert at>
>     Argonne National Laboratory
>     9700 South Cass Avenue
>     Argonne, Illinois  60439
>     (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list