WS-Security and GSS-API: How do I get the session key?

Douglas E. Engert deengert at
Fri Mar 6 14:28:04 EST 2009 at wrote:
> Hi Luke
> On Feb 24, 9:36 pm, Luke Howard <lu... at> wrote:
>>> I don't recall offhand if there's been an IETF draft proposing the
>>> specific extension we've got for extracting the session key.
>>    major = gss_inquire_sec_context_by_oid(&minor,
>>                                          ctx,
>>                                          GSS_C_INQ_SSPI_SESSION_KEY,
>>                                          &skey);
> Cool, we (Java SE Team at Sun) are also preparing to add a new method
> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.
> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:

Please add at least the above, as it would let the caller get the
Microsoft PAC from the Kerberos ticket if the KDC was Microsoft AD.
The PAC Contains user and group SSIDs and other info from AD.

Original W2000:
More upto ddate info:

Google for ms-pac

Would be useful in a Samba environment which can also add a PAC.

> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?
> Thanks
> Weijun
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list