Writing gss mechanism - Kerberos user2user

Idan Freiberg speidy at gmail.com
Sun Feb 5 13:43:19 EST 2017

Unfortunately, I didn't find any dedicated U2U doc under MS technical
documents.Also, MS-KILE doesn't include any info about U2U
messages/implementation details.
Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
its just a minor changes.

For me it feels like they tried to keep it as a part of Kerberos so they
can share the existing code for seal/mic/etc.

I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
it seems that IAKERB is also relying on much of the "original" krb5 mech

בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <ghudson at mit.edu>:

On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> While it is possible, i'm not sure its the right way. One reason for that
> is because MS doesn't specify user2user mech as a seperate mech in
> MechTypes (NegoTokenInit).
> They actually ask for official krb5 or mskrb5 oids, then they include the
> user2user token as the MechToken of the request.

That's a little surprising.  Is there any Microsoft documentation on
this u2u mechanism?  I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.

Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18

More information about the krbdev mailing list