On Tue, 22 Aug 2006 03:25:42 +0200 Fredrik Tolf <[EMAIL PROTECTED]> wrote:
> On Mon, 2006-08-21 at 18:29 -0400, Michael B Allen wrote: > > On Mon, 21 Aug 2006 21:48:30 +0200 > > Fredrik Tolf <[EMAIL PROTECTED]> wrote: > > > > > So, I'm wondering, are the messages created by JGSS compatible with the > > > ones used by the native MIT API? > > > > Yes. There have been bugs in Java's Kerberos implementation but I'm not > > sure if there is anything outstanding. Otherwise, JGSS should be fully > > compatible with MIT, Heimdal, Microsoft, ... > > Sorry, I guess I should rephrase myself. I didn't mean to ask whether > JGSS is compatible with MIT's, Heimdal's and Microsoft's GSSAPI > implementation (because I would find it very weird if it wasn't), but > rather whether the messages generated by GSSAPI (whether it be JGSS or > MIT's libgssapi_krb5) is compatible with the messages generated by the > "native" Krb5 API. GSSAPI doesn't really define a format of messages. The messages are opaque blobs. It's up to the underlying authentication mechanism to encode and decode the information required by the GSSAPI interface. Actually GSSAPI might define that the tokens are prefixed with an OID. > That is, if I generate an initial token with the > GSSContext.initSecContext method and send it to a server, will the > server be able to pass that token directly into krb5_rd_req and having > it be understood? Hmm, I wouldn't rely on that. If you use GSSAPI on the client you should use GSSAPI on the server. If you can't use GSSAPI on the server then use raw Kerberos on the client. Otherwise you might need to strip that OID I mentioned. Not sure. I would have to look into that but I have to clean my fish tank :-> Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
