KFW 3.1 credentials and the default cache

Wed Mar 7 16:23:18 EST 2007

Eli:

The idea here is that the user selects the identity that the user wants
to be the default and NetIDMgr marks the ccache associated with that
identity as the default ccache in the user's registry hive.

When using the GSS-API if you specify a specific name in the
gss_acquire_creds() call, then gssapi32.dll will try to find a ccache
for the principal and will use that ccache.  There is a bug in the
implementation in KFW 3.1 that has been fixed in the source tree and
will be incorporated into KFW 3.2 when it is released.

There are no APIs at present that are stable that can be used to search
the available credential caches.  MIT has worked on a new library called
Kerberos Identity Management (KIM) but there are no available resources
at the present time to implement it on Microsoft Windows.  KIM will be
the replacement for the Leash API for both 32-bit and 64-bit platforms.
If your firm is interested in funding such a project please contact
myself or Sam Hartman.

Jeffrey Altman
Secure Endpoints Inc.

Eli Breder wrote:
> Hi,
> 
> I hope someone can help me with the following problem we are having. Net ID
> Manager caches credentials by identity as opposed to the older mechanism
> which stored credentials in one cache ("API:krbcc5"). As a 3rd party app, we
> seem to only be able to retrieve credentials from the default cache through
> the current API (KFW 3.1). We make the following API calls we make when we
> attempt to get credentials for a given principal:
> 
> krb5_cc_default( m_KrbApp.krb5_ctx,  &m_KrbApp.k5_ccache );
> krb5_sname_to_principal( m_KrbApp.krb5_ctx, m_KrbApp.szServerName,
> KRB5_TGS_NAME, KRB5_NT_SRV_HST, &Cred->server ) );
> krb5_cc_get_principal( m_KrbApp.krb5_ctx, m_KrbApp.k5_ccache, &Cred->client
> );
> krb5_cc_start_seq_get( m_KrbApp.krb5_ctx, m_KrbApp.k5_ccache, &curs ); 
> krb5_cc_next_cred( m_KrbApp.krb5_ctx, m_KrbApp.k5_ccache, &curs, Cred );
> krb5_cc_end_seq_get( m_KrbApp.krb5_ctx, m_KrbApp.k5_ccache, &curs );
>  
> Are there any APIs that will allow us to search or enumerate through all
> available caches?
> We have a similar problem when using GSSAPI.
>  
> Thank you.
>  
> Eli Breder
> Software Developer
>  
> 
> Hummingbird Connectivity - A Division of Open Text 
> 
> 1010 Sherbrooke West - Suite 811
> 
> H3A 2R7, Montreal, QC 
> 
> Canada 
>  
> Phone:      +1 514 281 5551 ext. 231
> 
> e-mail:      eli.breder at hummingbird.com
> 
> Web site:  http://connectivity.hummingbird.com
> <BLOCKED::http://connectivity.hummingbird.com/> 
>  
> This e-mail is protected by domestic and international copyright laws and
> treaties and is the property of Open Text Corporation, it may contain
> confidential and/or trade secret information of the Open Text Corporation
> and/or its subsidiaries (OTC), and may be subject to legal privilege in
> favor of OTC. This e-mail may only be lawfully received, accessed, displayed
> on a computer screen, printed, copied, and/or used by the specific
> addressee(s) named above ("Authorized Recipient") for the purpose for which
> it was sent by OTC. All other rights and licenses to this e-mail are fully
> reserved to OTC. If you are not an Authorized Recipient, you are required to
> immediately delete this e-mail in its entirety without printing, copying,
> using, and/or re-transmitting this e-mail, either in whole or in part. The
> transmission of this e-mail by OTC is not to be construed as a waiver by OTC
> and/or the individual sending this e-mail on behalf of OTC of any of their
> respective rights or privileges at law or otherwise, howsoever arising.
> 
>  
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070307/b1697b0d/attachment.bin