Using GSSAPI to Authenticate to AD

Michael B Allen ioplex at
Wed Aug 27 12:39:55 EDT 2008

On Wed, Aug 27, 2008 at 4:53 AM,  <neelsmail at> wrote:
> Hi,
> I want to authenticate an Active Directory User using GSSAPI. The code
> would be in C++. To be specific here is the scenario:
> 1] End user adopts/creates one or more Active Directory users using
> any of the AD integration packages on Linux.
> 2] In my executable, which would be always running as root, I find out
> that I need to use AD user and authenticate using GSSAPI
> 3] I cannot impersonate as the user because that would change user
> context of whole process.
> 4] Therefore, I need to somehow find out whether there is already a
> ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> GSSAPI: GSSAPI::Name->import?)
> 5] If not, process would obtain one.
> 6] Get the ticket and initialize the security context (Win32SDK:
> InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> 7] Get the token and send it for authentication
> If the process is running in the user context which needs to be
> authenticated, it's easier and I have perl implemenation of it. But in
> this case, since process will always be running as root, I don't know
> if there is a way I can know/get ticket for authentication.
> Is there a sample/example that can, at least in parts if not
> completely, illustrate how this can be done using C/C++ somewhere?
> I found one link on MSDN but don't know whether that's the entire flow/
> applicable:
> Any comments would be welcome.

GSSAPI just handles authentication. That's not terribly difficult to
do in C++ but it's not clear how you get from GSSAPI authentication to
creating users "using any of the AD integration packages on Linux".
There are a lot of details to creating an application like that in
Linux. It's a lot harder than it looks.

Incidentally there is a product called Plexcel that has worked out all
of these details (see the link in my signature - it's also free for up
to 25 users). With the Plexcel PHP extension you can easily create a
web page that will authenticate someone using SPNEGO (or explicit
Kerberos login) and then use the delegated credential to create users,
change passwords, etc [1]. Or you can do it from the commandline. In
fact I have a very nice little Plexcel commandline script for creating
users that a wrote for someone else that I would be happy to give you.
If you want a copy, or if you have any questions about Plexcel feel
free to contact me directly through IOPLEX Software support.


[1] To give you an idea of what the code would look like look at the
example on this page:

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list