Writing gss mechanism - Kerberos user2user

Idan Freiberg speidy at gmail.com
Mon Feb 6 01:50:02 EST 2017 

It turns out that MS SSPs can support extra mech OIDs and one can get them
through SpGetExtendedInformation
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa380167(v=vs.85).aspx>(SecpkgExtraOids,
...).
I think MS Negotiate package takes in consideration the extra mech OIDs as
well.


On Sun, Feb 5, 2017 at 8:47 PM Idan Freiberg <speidy at gmail.com> wrote:

> Just to make it clear, the user2user MechToken inside the NegoTokenInit
> has the oid from the draft-swift-win2k-krb-user2user rfc draft.
>
> On Sun, Feb 5, 2017 at 8:42 PM Idan Freiberg <speidy at gmail.com> wrote:
>
> Unfortunately, I didn't find any dedicated U2U doc under MS technical
> documents.Also, MS-KILE doesn't include any info about U2U
> messages/implementation details.
> Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
> its just a minor changes.
>
> For me it feels like they tried to keep it as a part of Kerberos so they
> can share the existing code for seal/mic/etc.
>
> I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
> it seems that IAKERB is also relying on much of the "original" krb5 mech
> code.
>
>
> בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <ghudson at mit.edu>:
>
> On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> > While it is possible, i'm not sure its the right way. One reason for that
> > is because MS doesn't specify user2user mech as a seperate mech in
> > MechTypes (NegoTokenInit).
> > They actually ask for official krb5 or mskrb5 oids, then they include the
> > user2user token as the MechToken of the request.
>
> That's a little surprising.  Is there any Microsoft documentation on
> this u2u mechanism?  I wasn't able to find any.
> draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
> use with SPNEGO.
>
>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
>
-- 
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18

More information about the krbdev mailing list