Issue in generating Authenticator Data in AP_REQ

Greg Hudson ghudson at MIT.EDU
Wed Aug 29 14:27:49 EDT 2012

On 08/29/2012 12:48 PM, Sankar Das wrote:
> 1. I am trying to use GSS-API. I am not sure how the Authenticator data
> is generated for the AP-REQ embedded in negTokenInit part of GSS-API. Is
> it generated in the same way as in TGS-REQ using the same key?

An AP-REQ used in a GSSAPI krb5 initiator token needs to have a special
checksum (see RFC 4121 section 4.1.1).  Also, the authenticator should
be encrypted with key usage 11 instead of 7 (as key usage 7 is only used
for TGS-REQ authenticators).

> 2. Is there any example program in MIT Kerberos source code distribution
> for the same?

Our code to generate AP-REQs is in lib/krb5/krb/mk_req.c.  Our code to
make GSSAPI krb5 initiator tokens is in
lib/gssapi/krb5/init_sec_context.c.  Our code to do SPNEGO is in

More information about the krbdev mailing list