SSPI not populating Microsoft Kerberos cache

K.G. Gokulavasan kgokulavasan at
Mon Mar 27 07:52:19 EST 2006

   We are trying to kerberize an application. We are using GSSAPI on
the server side and SSPI on client side since client is only on windows.
We are using AcquireCredentialsHandle(Kerberos) and
InitializeSecurityContext calls of SSPI. There are 2 scenarios in which
the user initiates the application client:

1) User has done a Kerberos login to the workstation itself(workstation
service object is created in MIT KDC):
     In this case the SSPI calls goes through fine using the existing
TGT in Microsoft Kerberos cache and populates the cache with the service

2) User has done a NTLM login to the workstation:
    In this case, the application client takes user principal name and
kerberos password as input and makes the SSPI calls. SSPI calls acquires
TGT and service ticket from the  MIT KDC and the calls succeed and
application works. But neither the TGT nor the Service Ticket is present
in Microsoft kerberos cache.

   So how to cache the TGT using SSPI call? Do we have to make any
other calls to populate the cache?


More information about the Kerberos mailing list