impersonation issue, wrong principal

Martin Gee geemang_2000 at
Thu Oct 8 09:10:34 EDT 2015

Would really appreciate some help with the following.
Krb5 Version: 1.13.2
Desc: I'm implementing constrained delegation. I've wiresharked what I believe is the issue.  Issue: the TGS-REP->Client Name(Principal) on gss_init_sec_context is NOT using my impersonated user cred.  I believe the problem shows itself in step #3 below where the Client Principal is using the gss_service_name NOT the gss_user_name. 
Here is pseudo code. 
Setup:/etc/krb5.conf & /etc/krb5.keytabNOTE: these have been confirmed to work with a GSS Java program
Code:// import_name thesegss_service_name ="host/ at PRACTICE.COM";  gss_user_name="user1 at PRACTICE.COM";gss_host_name="HTTP at";// credsservice_cred;user_cred;
// #1 build /tmp/ccache , create service_credgss_acquire_cred(&minor, gss_service_name,GSS_C_INDEFINITE, &mechset_krb5,GSS_C_INITIATE, &service_cred,NULL,&time_rec);// ProtocolAS-REQ  Client Name: host/  Server Name: krbtgt/PRACTICE.COMAS-REP  Client Name: host/  Ticket      ->Realm: PRACTICE.COM      ->Server Name: krbtgt/PRACTICE.COM
// #2 create impersonated user_credgss_acquire_cred_impersonate_name(minor,service_cred,gss_user_name,GSS_C_INDEFINITE,&mechset_krb5,GSS_C_INITIATE,&user_cred,NULL,&time_rec);// ProtocolAS-REQ   padata->Ticket: krbtgt/PRACTICE.COM   padata->PA-FOR-USER       ->Client Name: user1       ->Realm: PRACTICE.COM       -> S4U2Self Auth: Kerberos  req-body->Server Name: host/  req-body->Realm: PRACTICE.COM     AS-REP  Client Realm: PRACTICE.COM  Client Name: user1  Ticket     -> Realm: PRACTICE.COM     -> Server Name: host/
// #3 Create context for imp user. gss_init_sec_context(&minor,user_cred, &initiator_context,gss_host_name, &mech_spnego,GSS_C_REPLAY_FLAG| GSS_C_SEQUENCE_FLAG| GSS_C_MUTUAL_FLAG| GSS_C_CONF_FLAG,GSS_C_INDEFINITE,NULL,&in_token,NULL, &out_token,NULL,&time_rec);// ProtocolAS-REQ   padata->Ticket: krbtgt/PRACTICE.COM   req-body->Server Name: http/   req-body->Realm: PRACTICE.COM   AS-REP   Client Name (Principal) : host/   ( I BELIEVE THIS SHOULD BE user1 instead )   Ticket:     -> Realm: PRACTICE.COM     -> Server Name: http/

More information about the Kerberos mailing list