GSS MIC problems between Unix and Windows

Richard Evans richard.evans at
Tue May 3 05:07:00 EDT 2011

I'm still having problems with this?  Does anyone have any clues, or is this just a fundamental problem with Kerberos/Windows interaction?  Further tests indicate that signature verification also fails with Windows 2000 so it is not specific to Windows 7.


-----Original Message-----
Sent: 06 April 2011 17:00
To: krbdev at
Subject: GSS MIC problems between Unix and Windows

I'm using the gss APIs on a Linux box to establish a context with a
Windows 7 system using SSPI.  The context is established fine at both
ends in one handshake, as expected.  The 'supports integrity checking'
flag is correctly set on both contexts.

However I'm then trying to verify a message by generating a MIC at the
Unix end, using gss_get_mic, and verifying at the Windows end using
VerifySignature.  I can never get the verification to succeed.  I get
similar problems if I generate the MIC on Windows using MakeSignature
and verify it on Unix, using gss_verify_mic.

At the Unix end I've tried both the implementation in Java 1.6u24, and
native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
the client or server uses the Java APIs is 37 bytes long and looks like
the format described in RFC 1964; the MIC when native Kerberos is used
is 28 bytes long and seems to match RFC 4121.

I can get the test to work if both ends are Windows or both ends are
Unix, but not with a mixture.

Are there any special tricks or problems with using VerifySignature and

The background is that I'm testing gssapi-with-mic support in Apache
SSHD - the final MIC verification is failing.


krbdev mailing list             krbdev at

More information about the krbdev mailing list