WS-Security and GSS-API: How do I get the session key?
Douglas E. Engert
deengert at anl.gov
Fri Mar 6 14:28:04 EST 2009
weijun.wang at sun.com wrote:
> Hi Luke
>
> On Feb 24, 9:36 pm, Luke Howard <lu... at padl.com> wrote:
>>> I don't recall offhand if there's been an IETF draft proposing the
>>> specific extension we've got for extracting the session key.
>
>> major = gss_inquire_sec_context_by_oid(&minor,
>> ctx,
>> GSS_C_INQ_SSPI_SESSION_KEY,
>> &skey);
>
> Cool, we (Java SE Team at Sun) are also preparing to add a new method
> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.
>
> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
>
> KRB5_GET_TKT_FLAGS
> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
Please add at least the above, as it would let the caller get the
Microsoft PAC from the Kerberos ticket if the KDC was Microsoft AD.
The PAC Contains user and group SSIDs and other info from AD.
Original W2000:
http://msdn.microsoft.com/en-us/library/aa302203.aspx
More upto ddate info:
http://technet.microsoft.com/en-us/library/cc733967.aspx
http://msdn.microsoft.com/en-us/library/cc237917(PROT.10).aspx
Google for site:microsoft.com ms-pac
Would be useful in a Samba environment which can also add a PAC.
> KRB5_EXPORT_LUCID_SEC_CONTEXT
> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?
>
> Thanks
> Weijun
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list