How do I use KfW kinit.exe with respect to the Windows credentials cache?

Matthew M. DeLoera mdeloera at
Fri Jul 24 14:01:18 EDT 2009

Good morning/afternoon/etc...

I haven't managed to find any examples of this, and all of my 
experiments have failed:

I've got KfW installed. I can successfully use the accompanying 
kinit.exe, as well as the Network Identity Manager GUI. Either way, I 
can verify my user principal with the included klist.exe. I think 
everything is good as far as KRB5 is concerned. Let's say it's 
"deloera at SNAFU.ORG".

Can I call AcquireCredentialsHandle (SSPI), pass "deloera at SNAFU.ORG" for 
pszPrincipal, and pass NULL for pAuthData? So far, I consistently get 
SEC_E_NO_CREDENTIALS from InitializeSecurityContext. Is the credentials 
cache that I'm viewing with kinit.exe only accessible by the krb5 
libraries and tools? Can't it be referenced in SSPI calls?

I'm trying to mimic Linux/MacOS behavior, where the user must have 
previously run kinit to authenticate. Hence in those platforms, I don't 
have to store passwords.

In the meantime, I can successfully pass NULL for pAuthData to 
successfully reference the default principal (if the user logged into XP 
through the domain/realm). I can also pass a literal 
username/password/domain into the call. But, that requires me to store 
passwords. In case there's a question about it - I'm using the MIT KRB5 
KDC in Linux (Ubuntu 6.06). Everything works consistently in these 2 

So, any suggestions? Is is possible to authenticate in Microsoft with 
kinit.exe on the command-line, then just reference that same cached 
credential from Microsoft's SSPI? Any insight would be appeciated.....

- Matthew

More information about the krbdev mailing list