Authenticating GSSAPI Client to SSPI Service

Michael B Allen mba2000 at ioplex.com
Thu Feb 8 11:56:50 EST 2007


On Thu, 8 Feb 2007 13:16:23 +0100
"Peger, Daniel Heinrich" <dpeger at cosa.de> wrote:

> I've already successfully verified that the following combinations work
> (both client and service running on the same Windows XP machine):
> 
> 	Client	Service
> 	------------------
> 	GSSAPI	GSSAPI
> 	SSPI		GSSAPI
> 	SSPI		SSPI
> 
> But if I obtain the service ticket using the GSSAPI methods and try to
> accept the respective securtiy context in the service using
> AcceptSecurityContext(...) from MS's SSPI, I always get
> SEC_E_LOGON_DENIED as return code. AS stated above. Using the same
> authentication information (username, password and realm) with SSPI's
> InitializeSecurityContext(...), the resulting ticket is verified by the
> test-service.
> 
> I already tried to introduce a mapping of the kerberos user principal
> (test-user at KRBTEST.REALM.ORG) to a local user account (test-user) but
> this didn't help either. Is the group that test-user belongs to of any
> relevance?

No but you said you are using a Heimdal KDC so I'm curious about what
"group" you're talking about since a Heimdal KDC doesn't support groups
that Windows would understand.

> Is this a Microsoft incompatibility issue or is there something special
> that needs to be regarded if trying to use GSSAPI together with SSPI?

It should work just fine. Make sure you have the latest ticket. Otherwise
get a packet capture paying particular attention to the the principal
names being used.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/



More information about the Kerberos mailing list