Authenticating GSSAPI Client to SSPI Service

Peger, Daniel Heinrich dpeger at cosa.de
Thu Feb 8 07:16:23 EST 2007 

Hi,

I'm currently trying to set up authentication between a client that uses
the MIT GSSAPI implementation to obtain its kerberos credentials and to
initialize the security context and a Server/Service that uses
Microsofts SSPI methods to authenticate and accept a securtiy context.
I'm using a heimdal KDC for authentication and for providing the service
tickets.

I've already successfully verified that the following combinations work
(both client and service running on the same Windows XP machine):

	Client	Service
	------------------
	GSSAPI	GSSAPI
	SSPI		GSSAPI
	SSPI		SSPI

But if I obtain the service ticket using the GSSAPI methods and try to
accept the respective securtiy context in the service using
AcceptSecurityContext(...) from MS's SSPI, I always get
SEC_E_LOGON_DENIED as return code. AS stated above. Using the same
authentication information (username, password and realm) with SSPI's
InitializeSecurityContext(...), the resulting ticket is verified by the
test-service.

I already tried to introduce a mapping of the kerberos user principal
(test-user at KRBTEST.REALM.ORG) to a local user account (test-user) but
this didn't help either. Is the group that test-user belongs to of any
relevance? I set up test-user to be a member of guests only...

Is this a Microsoft incompatibility issue or is there something special
that needs to be regarded if trying to use GSSAPI together with SSPI?

Best Regards,
Daniel.
 
E-Mail Disclaimer 
 
Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene 
Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung 
reichen wir Ihnen gerne auf Anforderung in schriftlicher Form nach. 
Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, 
Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser 
E-Mail nicht gestattet ist. Diese Nachricht ist ausschliesslich fuer 
den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie 
nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, 
so bitten wir Sie, sich mit dem Absender der E-Mail in Verbindung zu setzen.


For legal and security reasons the information provided in this e-mail is not 
legally binding. Upon request we would be pleased to provide you with a legally 
binding confirmation in written form. Any form of unauthorised use, publication, 
reproduction, copying or disclosure of the content of this e-mail is not permitted. 
This message is exclusively for the person addressed or their representative. 
If you are not the intended recipient of this message and its contents, please 
notify the sender immediately.

More information about the Kerberos mailing list