WS-Security and GSS-API: How do I get the session key?

Weijun Wang Weijun.Wang at Sun.COM
Tue Mar 10 00:11:04 EDT 2009

I see. So after a security context is established. These functions
should return the same results on both side. Of course, if a particular
piece of info is only available from the encrypted part of the service
ticket, only the service side knows it and this function is not
supported on the client side.


Luke Howard wrote:
> On 09/03/2009, at 1:45 PM, Max (Weijun) Wang wrote:
>>> gss_krb5_get_tkt_flags()
>>> gsskrb5_extract_authz_data_from_sec_context()
>>> gsskrb5_extract_authtime_from_sec_context()
>> I guess the tkt or authXXX above are all for the intial TGT (instead
>> of any service ticket). Right?
> The service ticket; the service does not have the TGT (although the KDC
> may use the TGT in deriving those values).
> -- Luke

More information about the Kerberos mailing list