On Wed, Sep 10, 2008 at 3:59 PM, Rahul Kohli <[EMAIL PROTECTED]> wrote: > Hi Henry, > > Thanks for your response. > > This C application (shared library) will be used for validating the kerberos > credential of a user with KDC on Microsoft AD 2003. > > Please suggest how we can use/develop a C application to validate user's > kerberos credentials with KDC located on different system.
You don't need to communicate with the KDC to validate the Kerberos token supplied by an HTTP client. You only need to use the service credential to decrypt the authenticator in the token and verify that the timestamp is within an acceptable range. And, depending on the system you're using, there are C routines that will perform all of these details for you. For example, UNIX systems usually come with a library called GSSAPI that have a gss_accept_sec_context function that does what you want. Sometimes GSSAPI is part of the Kerberos installation (e.g. on Linux GSSAPI usually comes with the MIT Kerberos packages). On Windows, there's something called SSPI which has a very similar function called AcceptSecurityContext. Mike > --- On Wed, 9/10/08, Henry B. Hotz <[EMAIL PROTECTED]> wrote: > > From: Henry B. Hotz <[EMAIL PROTECTED]> > Subject: Re: Application to extract Kerberos Cerdential > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Date: Wednesday, September 10, 2008, 10:45 PM > > On Sep 10, 2008, at 9:17 AM, [EMAIL PROTECTED] wrote: > >> Message: 1 >> Date: Wed, 10 Sep 2008 07:05:39 -0700 (PDT) >> From: Rahul Kohli <[EMAIL PROTECTED]> >> Subject: Application to extract Kerberos Cerdentials >> To: [EMAIL PROTECTED] >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=iso-8859-1 >> >> Hi All, >> ? >> I am using Kerberos Client installed on HP-UX with?Active Directory >> 2003 (KDC Server).?I have verified the setup to be?working fine >> using Kinit and Klist utilities installed with Kerberos Client. >> ? >> I need to develop a sample C/C++ application that can extract User's >> kerberos credentials from the browser HTTP request and pass it to >> Kerberos Client for validation with KDC Server. >> ? >> Please suggest how can we extract user's kerberos credentials from >> Browser. Where can I get details of the API's to be used for this >> purpose. >> ? >> Thanks, >> Rahul >> ? > > I think this kind of question belongs on the kerberos@mit.edu list, > since it's not specific to the MIT implementation. I've set the reply- > > to header accordingly. > > I don't understand the application you're proposing. Is it possible > that what you want is really a web server module like mod_auth_kerb? > I can't imagine why you would want a *browser* to check a user's > credentials because the user owns the browser and can run whichever > one he/she wants, including a custom-modified one. > > For the normal usage scenarios the "extraction" process happens > automatically as part of some other task. If you can tell us what > you're trying to do, then perhaps we can point you at the right API's. > _______________________________________________ > krbdev mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/krbdev > > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
