hartmans at MIT.EDU
Thu Aug 12 19:26:18 EDT 2010
I assume you're generally familiar with SSPI.
Today, SSPI provides you with a way to get GSS-API. You need to either
be part of a domain, be willing to store your password in a service
called credman, or modify your application to explicitly pass the
password into the SSPI calls.
On the server, you need to either be part of a domain or explicitly pass
a password into the acceptor for each application.
There's nothing quite like krb5_rd_cred, krb5_mk_cred, krb5_mk_priv,
krb5_rd_priv, krb5_mk_safe, or krb5_rd_safe.
Support for multiple accounts is not as well developed as KFW.
There is no API compatibility with MIT.
There are a few things you can do with GSS-API that you cannot do with
SSPI, mostly surrounding gap/out of order tokens. If you use SSPI's
facilities for handling sequencing, you cannot process missing tokens in
a UDP protocol.
That's my rough understanding of the current state.
More information about the krbdev