eswars wrote: > I am trying to use server username (ex: [EMAIL PROTECTED]) to generate > service ticket through which i can mutually authenticate with Server. > > This is working fine in all English Windows OS.Here what I am doing is > ms2mit code I am using to get default windows logon user ticket to be cache > to MIT file cache. When ever gss_init_sec_context() try to use that default > cache to generate service ticket i got error "miscellaneous failure: > Matching credential not found". > > Even in the leash not able to show the Username properly. It shows something > in Chinese (some garbage). > > I feel there is problem in writing ticket to cache file. If I do kinit with > password and try for service ticket with gss_init_sec_context () it is fine > even in Chinese OS. I suspect the problem is character set related. The Kerberos protocol as currently specified in RFC4120 only supports US.ASCII. Microsoft bent the rules to support UNICODE and can do so in their API because internally all string data is stored as UNICODE.
MIT Kerberos stores all string data as "C" language strings. (A sequence of single byte characters followed by a terminating NUL.) When the MSLSA ccache is used, it translates all strings from Unicode to the local system's ANSI character set. However, there is a trick used. Unless MIT Kerberos is attempting to actually use the ticket, the MSLSA ccache routines do not actually read the ticket and therefore it limits the potential opportunity for damage. When you copy tickets from the MSLSA to FILE ccaches, the entire ticket must be copied and all strings translated. My guess is that the damage is occurring not in the FILE ccache but in the Unicode to ANSI translation that takes place as part of the export. This would best be verified using the Microsoft Debugging Tools for Windows in combination with the Debugging Symbols that ship with KFW and the matching source code for the version you are using. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
