How do I use KfW kinit.exe with respect to the Windows credentials cache?
Matthew M. DeLoera
mdeloera at exacq.com
Fri Jul 24 14:01:18 EDT 2009
I haven't managed to find any examples of this, and all of my
experiments have failed:
I've got KfW installed. I can successfully use the accompanying
kinit.exe, as well as the Network Identity Manager GUI. Either way, I
can verify my user principal with the included klist.exe. I think
everything is good as far as KRB5 is concerned. Let's say it's
"deloera at SNAFU.ORG".
Can I call AcquireCredentialsHandle (SSPI), pass "deloera at SNAFU.ORG" for
pszPrincipal, and pass NULL for pAuthData? So far, I consistently get
SEC_E_NO_CREDENTIALS from InitializeSecurityContext. Is the credentials
cache that I'm viewing with kinit.exe only accessible by the krb5
libraries and tools? Can't it be referenced in SSPI calls?
I'm trying to mimic Linux/MacOS behavior, where the user must have
previously run kinit to authenticate. Hence in those platforms, I don't
have to store passwords.
In the meantime, I can successfully pass NULL for pAuthData to
successfully reference the default principal (if the user logged into XP
through the domain/realm). I can also pass a literal
username/password/domain into the call. But, that requires me to store
passwords. In case there's a question about it - I'm using the MIT KRB5
KDC in Linux (Ubuntu 6.06). Everything works consistently in these 2
So, any suggestions? Is is possible to authenticate in Microsoft with
kinit.exe on the command-line, then just reference that same cached
credential from Microsoft's SSPI? Any insight would be appeciated.....
More information about the krbdev