On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan, Sivakumar" <[EMAIL PROTECTED]> wrote:
I am trying to implement a custom Kerberos authentication for my IIS application using an ISAPI filter. I am expecting the gss_accept_security_context tor return me AP-REP if I passed a input token(contains AP-REQ) with mutual_authentication flag set in its AP-options. But in my program the gss_accept_security_context returns a GSS-S-Complete but when I parse the output token it just contains the Input principal and didn't contains a APP-REP.
It's unclear here whether the context token you're passing in is one you got from another GSSAPI, or one you constructed yourself. The AP-REQ used by the Kerberos GSSAPI mechanism uses a special "checksum" which contains additional data used in negotiating the GSSAPI context (see RFC4121, section 4.1.1, or RFC1964 section 1.1.1). Part of this data includes flag bits indicating which GSSAPI-level options were requested by the application. In order for mutual authentication to happen, the 0x02 bit in these flags must be set.
At the GSSAPI level, the way to do this is to make sure that the mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to GSS_Init_sec_context().
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
