Ken, Dave, Thanks for your replies. I agree with both of you that mutual authentication is a good thing. Basically, we were using kerberos as an authentication mechanism through a protected interface and kicking off a "job" on the server system to run under the credentials of the client. No further kerberos messages are exchanged. So, educate me if I am wrong, but I don't think mutual authentication buys us much here. The issue I have is that GSSAPI does not force this restriction but SSPI did.
Also, David I don't see in the paragraph you mention, where it states that I must do mutual authentication to do delegation. The paragraph you mention is below. "The value of a client being able to authenticate a service is less understood. Authenticating a service enables the client to trust the information it gets from the service and to feel secure in sending sensitive information to the service. The ability of a client to authenticate a service is particularly important in client/service applications that support delegation of the client's security context (in other words, the client authorizes the service to act as its delegate in accessing additional services or network resources)." Thanks again, Brian >> And to further follow up to the original message .... >> >> Is there any reason to _NOT_ do mutual authentication? >> >>--Ken "David Lawler Christiansen (NT)" wrote: > This is mentioned briefly in the third paragraph of > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ > ad/about_mutual_authentication_using_kerberos.asp > > Put simply, delegating to a server is a dangerous business. We require > MUTUAL_AUTH to ensure that you're really delegating to the correct, > intended entity. > > ----- > This message or posting is provided "AS IS" with no warranties, and > confers no rights. > Any opinions or policies stated within are my own and do not necessarily > constitute those of my employer. > Harvesting of this address for purposes of bulk email (including "spam") > is prohibited unless by my expressed prior request. I retaliate > viciously against spammers and spam sites. > > > -----Original Message----- > > From: Brian Krings [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 08, 2002 12:05 PM > > To: [EMAIL PROTECTED] > > Subject: Mutual authentication and delegation > > > > > > I have a question about mutual authentication and delegation. > > I have an application where I would like to delegate > > credentials. I do not currently do mutual authentication. > > Using Windows 2000 as my KDC, I cannot get delegated > > credentials unless I also pass the mutual authentication flag > > to the SSPI InitializeSecurityContext. I don't see any > > documentation from Microsoft or in the RFC's that would force > > this. Does Microsoft have a bug? I do not have to request > > mutual authentication if my client is a non-Windows machine > > (using GSSAPI). > > > > Thanks in advance for any/all responses. > > Brian > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > http://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
