Use of NT-ENTERPRISE name type via GSS-API
Alan Braggins
alan.braggins at riverbed.com
Wed Jul 2 05:36:08 EDT 2014
I'm using Kerberos constrained delegation (s4u2proxy)
for a proxy server that is authenticating clients to a
Microsoft Active Domain server.
I'm using GSS-API because I want to end up with a SPNEGO
Authorization header, and SPNEGO is a GSS-API mechanism.
The user (client) principals I have to work with have a
"UPN suffix" (have the format <id>@suffix) :
http://support.microsoft.com/kb/243629
http://tools.ietf.org/html/rfc6806#section-5
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/2klyzrgsGk0
says "or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL
if GSSAPI supported such a thing"
Inventing a GSS_C_NT_ENTERPRISE_PRINCIPAL OID and patching
krb5_gss_import_name to call krb5_name_parse_flags with
KRB5_PRINCIPAL_PARSE_ENTERPRISE when it's used seems to work,
but obviously it would be better if that was standard.
Or we can just escape the '@' with a '\'.
Any suggestions or recommendations?
Thanks,
Alan
More information about the Kerberos
mailing list