GSS_ACCEPT_SECURITY_CONTEXT - Kerberos

This is a discussion on GSS_ACCEPT_SECURITY_CONTEXT - Kerberos ; Hi, I am trying to implement a custom Kerberos authentication for my IIS application using an ISAPI filter. I am expecting the gss_accept_security_context tor return me AP-REP if I passed a input token(contains AP-REQ) with mutual_authentication flag set in its ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: GSS_ACCEPT_SECURITY_CONTEXT

  1. GSS_ACCEPT_SECURITY_CONTEXT

    Hi,



    I am trying to implement a custom Kerberos authentication for my IIS
    application using an ISAPI filter. I am expecting the
    gss_accept_security_context tor return me AP-REP if I passed a input
    token(contains AP-REQ) with mutual_authentication flag set in its
    AP-options. But in my program the gss_accept_security_context returns a
    GSS-S-Complete but when I parse the output token it just contains the
    Input principal and didn't contains a APP-REP.





    Any help is greatly appreciated.



    Thanks

    Siva



    P.S: I am using the gssapi32.lib and the binary from MIT Kerberos for
    Windows (2.6.5) that I downloaded from MIT site





    This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: GSS_ACCEPT_SECURITY_CONTEXT



    On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan, Sivakumar"
    wrote:

    > I am trying to implement a custom Kerberos authentication for my IIS
    > application using an ISAPI filter. I am expecting the
    > gss_accept_security_context tor return me AP-REP if I passed a input
    > token(contains AP-REQ) with mutual_authentication flag set in its
    > AP-options. But in my program the gss_accept_security_context returns a
    > GSS-S-Complete but when I parse the output token it just contains the
    > Input principal and didn't contains a APP-REP.


    It's unclear here whether the context token you're passing in is one you
    got from another GSSAPI, or one you constructed yourself. The AP-REQ used
    by the Kerberos GSSAPI mechanism uses a special "checksum" which contains
    additional data used in negotiating the GSSAPI context (see RFC4121,
    section 4.1.1, or RFC1964 section 1.1.1). Part of this data includes flag
    bits indicating which GSSAPI-level options were requested by the
    application. In order for mutual authentication to happen, the 0x02 bit in
    these flags must be set.

    At the GSSAPI level, the way to do this is to make sure that the
    mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to
    GSS_Init_sec_context().

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread