Miscellaneous failure:Matching credential not found

Jeffrey Altman jaltman at secure-endpoints.com
Wed Sep 19 08:48:18 EDT 2007


eswars wrote:
>  I am trying to use server username (ex: test at MYDOMAIN.COM) to generate
> service ticket through which i can mutually authenticate with Server.
>
> This is working fine in all English Windows OS.Here what I am doing is
> ms2mit code I am using to get default windows logon user ticket to be cache
> to MIT file cache. When ever gss_init_sec_context() try to use that default
> cache to generate service ticket i got error "miscellaneous failure:
> Matching credential not found".
>
> Even in the leash not able to show the Username properly. It shows something
> in Chinese (some garbage).
>
> I feel there is problem in writing ticket to cache file. If I do kinit with
> password and try for service ticket with gss_init_sec_context () it is fine
> even in Chinese OS.
I suspect the problem is character set related.   The Kerberos protocol
as currently specified
in RFC4120 only supports US.ASCII.  Microsoft bent the rules to support
UNICODE and can
do so in their API because internally all string data is stored as UNICODE.

MIT Kerberos stores all string data as "C" language strings.  (A
sequence of single byte characters
followed by a terminating NUL.)   When the MSLSA ccache is used, it
translates all strings from
Unicode to the local system's ANSI character set.  However, there is a
trick used.  Unless MIT
Kerberos is attempting to actually use the ticket, the MSLSA ccache
routines do not actually
read the ticket and therefore it limits the potential opportunity for
damage.

When you copy tickets from the MSLSA to FILE ccaches, the entire ticket
must be copied and
all strings translated.  My guess is that the damage is occurring not in
the FILE ccache but in the
Unicode to ANSI translation that takes place as part of the export.

This would best be verified using the Microsoft Debugging Tools for
Windows in combination
with the Debugging Symbols that ship with KFW and the matching source
code for the version
you are using.

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070919/28362a8c/attachment.bin


More information about the Kerberos mailing list