Thanks Jeff.. Sorry for the lack of details. Here is what I am doing.
Runtime Environment: 1. Linux Server Hosting KDC 2. Windows 2003 server running IIS in a workgroup environment as Application Server 3. Windows XP as workstation running IE 6.0 4. Workstation has been joined to Linux realm In our Single Signon Solution, 1. The user will login to workstation (Kerberos realm on the linux) 2. Open IE and will invoke a page on the IIS 3. During the above process we like to authenticate the user using Kerberos protocol So I am implementing an ISAPI filter which will filter all the request to the IIS. Step by step Handshake and ISAPI FILTER functionality -------------------------------------------------------- 1. Check the incoming request's authentication header 2. If not Negotiate(Kerberos) then reject (401) and request a Negotiate authentication 3. Since IE is logged on the realm and the KDC have a service principal for the http service on the application server, IE will send a page request with Negotiate authentication header (this will contains SPNEGO token, which is wrapper over AP-REQ in a base64 encoded format) -- (IE will set the GSS_C_MUTUAL Authentication flag (0x02)-- I have verified that using the network sniffer ethereal) 4. Upon receving the valid SPNEGO token, ISAPI parse the token and establish a security context by supplying the appropriate keytab and server info. 5. After that I invoing gss_accept_security_context with appropriate parameter and expected to get a return token with AP-REP. 6. But just got the GSS_S_COMPLETE with a output token that contains the logged in user principal. Thanks Siva -----Original Message----- From: Jeffrey Hutzelman [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 9:42 AM To: Balakrishnan, Sivakumar; kerberos@mit.edu Cc: Jeffrey Hutzelman Subject: Re: GSS_ACCEPT_SECURITY_CONTEXT On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan, Sivakumar" <[EMAIL PROTECTED]> wrote: > I am trying to implement a custom Kerberos authentication for my IIS > application using an ISAPI filter. I am expecting the > gss_accept_security_context tor return me AP-REP if I passed a input > token(contains AP-REQ) with mutual_authentication flag set in its > AP-options. But in my program the gss_accept_security_context returns a > GSS-S-Complete but when I parse the output token it just contains the > Input principal and didn't contains a APP-REP. It's unclear here whether the context token you're passing in is one you got from another GSSAPI, or one you constructed yourself. The AP-REQ used by the Kerberos GSSAPI mechanism uses a special "checksum" which contains additional data used in negotiating the GSSAPI context (see RFC4121, section 4.1.1, or RFC1964 section 1.1.1). Part of this data includes flag bits indicating which GSSAPI-level options were requested by the application. In order for mutual authentication to happen, the 0x02 bit in these flags must be set. At the GSSAPI level, the way to do this is to make sure that the mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to GSS_Init_sec_context(). -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos