Writing gss mechanism - Kerberos user2user

Idan Freiberg speidy at gmail.com
Sun Feb 5 13:48:02 EST 2017

Just to make it clear, the user2user MechToken inside the NegoTokenInit has
the oid from the draft-swift-win2k-krb-user2user rfc draft.

On Sun, Feb 5, 2017 at 8:42 PM Idan Freiberg <speidy at gmail.com> wrote:

> Unfortunately, I didn't find any dedicated U2U doc under MS technical
> documents.Also, MS-KILE doesn't include any info about U2U
> messages/implementation details.
> Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
> its just a minor changes.
> For me it feels like they tried to keep it as a part of Kerberos so they
> can share the existing code for seal/mic/etc.
> I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
> it seems that IAKERB is also relying on much of the "original" krb5 mech
> code.
> בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <ghudson at mit.edu>:
> On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> > While it is possible, i'm not sure its the right way. One reason for that
> > is because MS doesn't specify user2user mech as a seperate mech in
> > MechTypes (NegoTokenInit).
> > They actually ask for official krb5 or mskrb5 oids, then they include the
> > user2user token as the MechToken of the request.
> That's a little surprising.  Is there any Microsoft documentation on
> this u2u mechanism?  I wasn't able to find any.
> draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
> use with SPNEGO.
> --
> Idan Freiberg
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18

More information about the krbdev mailing list