GSS MIC problems between Unix and Windows

Richard Evans richard.evans at
Wed Apr 6 11:59:42 EDT 2011

I'm using the gss APIs on a Linux box to establish a context with a
Windows 7 system using SSPI.  The context is established fine at both
ends in one handshake, as expected.  The 'supports integrity checking'
flag is correctly set on both contexts.

However I'm then trying to verify a message by generating a MIC at the
Unix end, using gss_get_mic, and verifying at the Windows end using
VerifySignature.  I can never get the verification to succeed.  I get
similar problems if I generate the MIC on Windows using MakeSignature
and verify it on Unix, using gss_verify_mic.

At the Unix end I've tried both the implementation in Java 1.6u24, and
native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
the client or server uses the Java APIs is 37 bytes long and looks like
the format described in RFC 1964; the MIC when native Kerberos is used
is 28 bytes long and seems to match RFC 4121.

I can get the test to work if both ends are Windows or both ends are
Unix, but not with a mixture.

Are there any special tricks or problems with using VerifySignature and

The background is that I'm testing gssapi-with-mic support in Apache
SSHD - the final MIC verification is failing.


More information about the krbdev mailing list