GSS MIC problems between Unix and Windows

Olga Kornievskaia aglo at
Tue May 3 15:31:23 EDT 2011

What error code do you get from VerifySignature()?

On Wed, Apr 6, 2011 at 11:59 AM, Richard Evans
<richard.evans at> wrote:
> I'm using the gss APIs on a Linux box to establish a context with a
> Windows 7 system using SSPI.  The context is established fine at both
> ends in one handshake, as expected.  The 'supports integrity checking'
> flag is correctly set on both contexts.
> However I'm then trying to verify a message by generating a MIC at the
> Unix end, using gss_get_mic, and verifying at the Windows end using
> VerifySignature.  I can never get the verification to succeed.  I get
> similar problems if I generate the MIC on Windows using MakeSignature
> and verify it on Unix, using gss_verify_mic.
> At the Unix end I've tried both the implementation in Java 1.6u24, and
> native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
> the client or server uses the Java APIs is 37 bytes long and looks like
> the format described in RFC 1964; the MIC when native Kerberos is used
> is 28 bytes long and seems to match RFC 4121.
> I can get the test to work if both ends are Windows or both ends are
> Unix, but not with a mixture.
> Are there any special tricks or problems with using VerifySignature and
> gss_get_mic?
> The background is that I'm testing gssapi-with-mic support in Apache
> SSHD - the final MIC verification is failing.
> Richard
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list