Using GSSAPI to Authenticate to AD neelsmail at
Wed Aug 27 04:53:46 EDT 2008


I want to authenticate an Active Directory User using GSSAPI. The code
would be in C++. To be specific here is the scenario:

1] End user adopts/creates one or more Active Directory users using
any of the AD integration packages on Linux.
2] In my executable, which would be always running as root, I find out
that I need to use AD user and authenticate using GSSAPI
3] I cannot impersonate as the user because that would change user
context of whole process.
4] Therefore, I need to somehow find out whether there is already a
ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
GSSAPI: GSSAPI::Name->import?)
5] If not, process would obtain one.
6] Get the ticket and initialize the security context (Win32SDK:
InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
7] Get the token and send it for authentication

If the process is running in the user context which needs to be
authenticated, it's easier and I have perl implemenation of it. But in
this case, since process will always be running as root, I don't know
if there is a way I can know/get ticket for authentication.

Is there a sample/example that can, at least in parts if not
completely, illustrate how this can be done using C/C++ somewhere?

I found one link on MSDN but don't know whether that's the entire flow/

Any comments would be welcome.

Thanks in advance,

More information about the Kerberos mailing list