Authenticating GSSAPI Client to SSPI Service
Michael B Allen
mba2000 at ioplex.com
Thu Feb 8 11:56:50 EST 2007
On Thu, 8 Feb 2007 13:16:23 +0100
"Peger, Daniel Heinrich" <dpeger at cosa.de> wrote:
> I've already successfully verified that the following combinations work
> (both client and service running on the same Windows XP machine):
>
> Client Service
> ------------------
> GSSAPI GSSAPI
> SSPI GSSAPI
> SSPI SSPI
>
> But if I obtain the service ticket using the GSSAPI methods and try to
> accept the respective securtiy context in the service using
> AcceptSecurityContext(...) from MS's SSPI, I always get
> SEC_E_LOGON_DENIED as return code. AS stated above. Using the same
> authentication information (username, password and realm) with SSPI's
> InitializeSecurityContext(...), the resulting ticket is verified by the
> test-service.
>
> I already tried to introduce a mapping of the kerberos user principal
> (test-user at KRBTEST.REALM.ORG) to a local user account (test-user) but
> this didn't help either. Is the group that test-user belongs to of any
> relevance?
No but you said you are using a Heimdal KDC so I'm curious about what
"group" you're talking about since a Heimdal KDC doesn't support groups
that Windows would understand.
> Is this a Microsoft incompatibility issue or is there something special
> that needs to be regarded if trying to use GSSAPI together with SSPI?
It should work just fine. Make sure you have the latest ticket. Otherwise
get a packet capture paying particular attention to the the principal
names being used.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list