Windows future

Sam Hartman hartmans at MIT.EDU
Thu Aug 12 19:26:18 EDT 2010

I assume you're generally familiar with SSPI.

Today, SSPI provides you with a way to get GSS-API.  You need to either
be part of a domain, be willing to store your password in a service
called credman, or modify your application to explicitly pass the
password into the SSPI calls.

On the server, you need to either be part of a domain or explicitly pass
a password into the acceptor for each application.

There's nothing quite like krb5_rd_cred, krb5_mk_cred, krb5_mk_priv,
krb5_rd_priv, krb5_mk_safe, or krb5_rd_safe.
Support for multiple accounts is not as well developed as KFW.
There is no API compatibility with MIT.

There are a few things you can do with GSS-API that you cannot do with
SSPI, mostly surrounding gap/out of order tokens.  If you use SSPI's
facilities for handling sequencing, you cannot process missing tokens in
a UDP protocol.

That's my rough understanding of the current state.


More information about the krbdev mailing list