Using GSSAPI to Authenticate to AD neelsmail at
Wed Aug 27 09:30:13 EDT 2008

On Aug 27, 1:53 pm, neelsm... at wrote:
> Hi,
> I want to authenticate an Active Directory User using GSSAPI. The code
> would be in C++. To be specific here is the scenario:
> 1] End user adopts/creates one or more Active Directory users using
> any of the AD integration packages on Linux.
> 2] In my executable, which would be always running as root, I find out
> that I need to use AD user and authenticate using GSSAPI
> 3] I cannot impersonate as the user because that would change user
> context of whole process.
> 4] Therefore, I need to somehow find out whether there is already a
> ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> GSSAPI: GSSAPI::Name->import?)
> 5] If not, process would obtain one.
> 6] Get the ticket and initialize the security context (Win32SDK:
> InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> 7] Get the token and send it for authentication
> If the process is running in the user context which needs to be
> authenticated, it's easier and I have perl implemenation of it. But in
> this case, since process will always be running as root, I don't know
> if there is a way I can know/get ticket for authentication.
> Is there a sample/example that can, at least in parts if not
> completely, illustrate how this can be done using C/C++ somewhere?
> I found one link on MSDN but don't know whether that's the entire flow/
> applicable:
> Any comments would be welcome.
> Thanks in advance,
> -Neel.

After searching for the answer, I believe the question above can be
shortened to:
How can I acquire handle to credentials of a different user than the
one process running as, without impersonating that user?

I found this post:

It mentions about setting KRB5CCNAME before calling gss_acquire_cred
which may be simple but that raises couple of questions:
- If I running a multi threaded application each thread needing to set
KRB5CCNAME so that it can call gss_acquire_cred, it will affect the
application. Is there a way to let gss_acquire_cred/
gss_init_sec_context know which credential cache to use without
blocking the whole app?

- Even though I can specify which credential cache file name to use
from within my app, any external "kinit" calls will still create
different files. Is there an api where I can specify what user I need
to get ticket of if already created?

Again, any comments will be welcome.


More information about the Kerberos mailing list