Application to extract Kerberos Cerdential

Michael B Allen ioplex at
Wed Sep 10 22:48:55 EDT 2008

On Wed, Sep 10, 2008 at 3:59 PM, Rahul Kohli <rahulkohli2001 at> wrote:
> Hi Henry,
> Thanks for your response.
> This C application (shared library) will be used for validating the kerberos credential of a user with KDC on Microsoft AD 2003.
> Please suggest how we can use/develop a C application to validate user's kerberos credentials with KDC located on different system.

You don't need to communicate with the KDC to validate the Kerberos
token supplied by an HTTP client. You only need to use the service
credential to decrypt the authenticator in the token and verify that
the timestamp is within an acceptable range. And, depending on the
system you're using, there are C routines that will perform all of
these details for you. For example, UNIX systems usually come with a
library called GSSAPI that have a gss_accept_sec_context function that
does what you want. Sometimes GSSAPI is part of the Kerberos
installation (e.g. on Linux GSSAPI usually comes with the MIT Kerberos
packages). On Windows, there's something called SSPI which has a very
similar function called AcceptSecurityContext.


> --- On Wed, 9/10/08, Henry B. Hotz <hotz at> wrote:
> From: Henry B. Hotz <hotz at>
> Subject: Re: Application to extract Kerberos Cerdential
> To: "krbdev at" <krbdev at>
> Date: Wednesday, September 10, 2008, 10:45 PM
> On Sep 10, 2008, at 9:17 AM, krbdev-request at wrote:
>> Message: 1
>> Date: Wed, 10 Sep 2008 07:05:39 -0700 (PDT)
>> From: Rahul Kohli <rahulkohli2001 at>
>> Subject: Application to extract Kerberos Cerdentials
>> To: krbdev at
>> Message-ID: <786910.71656.qm at>
>> Content-Type: text/plain; charset=iso-8859-1
>> Hi All,
>> ?
>> I am using Kerberos Client installed on HP-UX with?Active Directory
>> 2003 (KDC Server).?I have verified the setup to be?working fine
>> using Kinit and Klist utilities installed with Kerberos Client.
>> ?
>> I need to develop a sample C/C++ application that can extract User's
>> kerberos credentials from the browser HTTP request and pass it to
>> Kerberos Client for validation with KDC Server.
>> ?
>> Please suggest how can we extract user's kerberos credentials from
>> Browser. Where can I get details of the API's to be used for this
>> purpose.
>> ?
>> Thanks,
>> Rahul
>> ?
> I think this kind of question belongs on the kerberos at list,
> since it's not specific to the MIT implementation.  I've set the reply-
> to header accordingly.
> I don't understand the application you're proposing.  Is it possible
> that what you want is really a web server module like mod_auth_kerb?
> I can't imagine why you would want a *browser* to check a user's
> credentials because the user owns the browser and can run whichever
> one he/she wants, including a custom-modified one.
> For the normal usage scenarios the "extraction" process happens
> automatically as part of some other task.  If you can tell us what
> you're trying to do, then perhaps we can point you at the right API's.
> _______________________________________________
> krbdev mailing list             krbdev at
> ________________________________________________
> Kerberos mailing list           Kerberos at

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list