How to use GSS-API to add second credential

Newman, Edward (IDS GNS) edward_newman at
Wed Feb 16 08:25:10 EST 2005

I am trying to understand the correct parameters for adding a second
credential through the MIT GSS-API for gss_add_cred. 

If I try the following code I always get the following messages:

GSS-API error adding credentials: An unsupported mechanism was requested
GSS-API error adding credentials: No error

<code example>

    name_buf.value = "krbtest/ at EMEAD.WINDEV.ML.COM"; /*
second_principal; */
    name_buf.length = strlen((char *) name_buf.value) + 1;
    maj_stat = gss_import_name(&min_stat, &name_buf,
				/* (gss_OID) gss_nt_service_name,
&server_name); */
    if (maj_stat != GSS_S_COMPLETE) {
		display_status("importing name", maj_stat, min_stat);
		return -1;

    maj_stat = gss_display_name(&min_stat, server_name, &dispname,
    if (maj_stat != GSS_S_COMPLETE) {
		display_status("display name", maj_stat, min_stat);
		return -1;

	printf ("Name %s\n", dispname.value);

    maj_stat = gss_add_cred(&min_stat, server_creds, server_name,
    if (maj_stat != GSS_S_COMPLETE) {
		display_status("adding credentials", maj_stat,
		return -1;

</code example>

If I use "gss_mech_krb5" as the mechanism then I get an "unresolved
external" link error on Windows platform.

Looking at the gss-api code it looks like gss_add_cred tests for the two
mechanisms - gss_mech_krb5 & gss_mech_krb5_old - explicitly. These do
not appear to be exported through gssapi32.lib so cannot be resolved at
link time. None of the other defined mechanisms appear to match the
tested values.

Why am I doing this?...... I want to have a GSS-API server listen and
accept connections as the same service principal in multiple realms. 

Any thoughts on this appreciated.


Edward Newman, 
IDS Directory Services, 
Merrill Lynch Europe plc 
1 Swan Lane, London, EC4R 3TN 
Phone : +44-(0)-20-7996-0694 
mailto:Edward_Newman at 
If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. 

More information about the krbdev mailing list