My network has a kerberos server for username/password authentication. Machines that run my application have functioning kerberos clients, so users can use kinit, etc. How do I interact with the server programatically, from my own custom applications? The preferred language for an example is C. I want users of my application to authen...
At the moment I am getting a KrbException: Integrity check on decrypted field failed (31) with my GSS demo application (on the server side). Now I am looking for the reason for this. I have the suspicion, that it comes from the fact that the client and the server application run on the same machine (localhost) and/or the SPN was genera...
We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to pr...
Hi there... I have implemented a Kerberos server/client using sockets in Java, where the client sends his service-TGT to the server, and the server knows the client is authentic. My main concern is the snooping 'man-in-the-middle' attack. Someone could capture the TGT, and pretend to be the client. In a pure Java implementation, ...
I was building an Active Directory Single Sign-On authentication system for Java web applications (using SPNEGO/Kerberos), and everything works fine with either Firefox or (reportedly) Safari, but Internet Explorer causes an exception: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) In fact, I th...
I thought I wanted to use GSS-API, but now am not so sure, since I'm having a hard time finding good sample code for a trivial client/server pair. Sun has documentation including sample code, but it's written specifically for their GSS API implementation, using a few proprietary functions not in e.g. the GNU GSS-API (and for which it's ...
Hi, I ran some tests on Kerberos and found out some strange behavior related to Firefox and Kerberos. I have a server running Apache + mod_auh_kerb which is configured to check kerberos credential when serving requests from clients. Kerberos authentication is performed and user without valid credentials are rejected. However, I do not u...
I wrote a test client and server using the Cyrus SASL library, and I'm manually forcing it to select GSSAPI as the mechanism. While debugging, I printed the md5sum of each message as it was passed between the two. I noticed that the sequence seems to be the same every time I connect. That is, if the message sequence on the first negot...
I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response: javax.naming.AuthenticationException: [LDAP: error code 49 - 8 0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568, v1772 ] I know that 49 means...
Hi, I'm trying to use the ldap_sasl_bind_s method from the Microsoft LDAP C SDK, with GSSAPI as the authentication mechanism. ldap_sasl_bind_s expects the credentials as a BERVAL structure, which is opaque. Given a username (or a DN) and a password, how do I get to the BERVAL structure that I'm supposed to pass to ldap_sasl_bind_s? T...
Hi everyone! I'm trying to get Integrated Windows Authentication (using default credentials of the currently logged Windows user) to log in Exchange 2007 account (SMTP/POP3/IMAP). I already have working implementation for this but it uses SSPI functions and thus needs unmanagedcode permissions (no good). I tried to make use of Negotiat...
I have a client-server application that needs to be secured by adding server-side authentication. The client user will already be authenticated to LDAP (Active Directory) and will be running a C# GUI. The client connects to a server on a Linux box which uses Centrify for LDAP authentication. As I understand things, the two need to neg...