Re: programmatically access to kerberos

I am doing a kerberos authentication for authenticating a user to LDAP
server. I am doing these things programmatically. While getting a service
ticket, i am using the krb5API krb5_mk_req() which makes the service tkt from
TGS and and also makes the AP_REQ.

The problem is that when i am calling krb5_mk_req(), i need to pass two
parameters as service and hostname.
Service I am passing as "Ldap" and hostname i am passing the name of the
computer where ldap server is installed like
"hdchnveta20364.hclt.corp.hcl.in".
This API is not working in this case but when i am passing the DNS server
name for our LAN "chn-hclt-adc13.hclt.corp.hcl.in", it is working fine.
Can anybody tell me the definite reason and the right parameter to pass.
I feel some configuration is required at client and server end.
I am working on Windows for which i am not getting right information.
Anybody can just help me by the links as well.

"DaveMo" wrote:

On Dec 15, 10:58 pm, Deepika <Deep...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hi thanks your help
But from where can i get your mailid.

Also I checkd in the readme.txt file along with Klist sample.
I'll just paste the content here.

""This sample demonstrates how to use the the LSA interface to the
Kerberos authentication package on Microsoft Windows 2000 for the
purpose of viewing and deleting the Kerberos tickets granted to the
current logon session.
This sample will only work on Windows 2000. To actually see any tickets,
your Windows 2000 machine must be joined to a Windows 2000 domain.
WARNING: Deleting Kerberos tickets can disable the full functionality of
Windows 2000 for the current logon session.
See the Platform SDK for more information on the Kerberos protocol and
Kerberos tickets.""
See here it is written.



"DaveMo" wrote:
On Dec 12, 1:11 am, Deepika <Deep...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi
Actually downloaded the Platform SDK and looked into the basic source code.
There it is written that the code will run only Window 2000.
I need this functionality in all version of Windows above 2k.
Will the utility suggested by you work across all the version Windows????

I tried to download the utility but was unable to do so due to blockage in
my office.
I'll try from some where else.

If possible please share the source code so that i can start fo with this..

"Deepika" wrote:
Actually i am trying to use kerberos for the first time.
I have only read this mechanism theoritically and do not know how this
happens in reality.

I started with hit and try approach.
So i'll try to use it and tell you.
Moreover I'll be so grateful if you can send me the code so that i can have
a better understanding of the things how actually it happnes.

"DaveMo" wrote:

On Dec 10, 9:19 pm, Deepika <Deep...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I want to get the TGT from the kerberos and store it in the credential cache.
Later i want to raise a request for a service ticket to kerberos.
Basically i have to follow the complete kerberos mechanism.
All this i want to do programmatically in VC++.
I found out a function krb5_get_in_tkt_with_skey() to start with.
I am not getting directions to proceed forward.
Can anyone help me on this?

On Windows you'll want to use the Windows APIs to do this kind of
thing. start with the KLIST sample from the Windows Platform SDK. I
have an extended version of KLIST that has this functionality and you
can find the binary here:www.securitay.com/support/freeutils.aspx

Try it out and if it does what you want then let me know and I'll send
you the source code.

HTH,
Dave- Hide quoted text -

- Show quoted text -

Windows samples typically work across all versions of the OS. They
don't break backwards or forwards compat if it can possibly be
avoided.

My version is the same code as the KLIST sample but with a couple of
additional pieces of functionality.

Send me an e-mail offline and I'll mail you the source.

Dave- Hide quoted text -

- Show quoted text -

That comment was written in the year 2000 when the distinction was
between NT4 and Windows 2000. The sample works fine on anything Win2k
or newer.

Dave

.

Relevant Pages

  • Re: cross-realm authentication problem
    ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
    (comp.protocols.kerberos)
  • Re: UserName and Kerberos tokens at the same time
    ... > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also ... Are you logon the computer as a domain user when running the ... I have tried it on a Windows 2003 server as well and there I get the ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: cross-realm authentication problem
    ... MIT Kerberos realm. ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
    (comp.protocols.kerberos)
  • Re: UserName and Kerberos tokens at the same time
    ... I have tried it on a Windows 2003 server as well and there I get the ... My client is a Windows application and I can se that the kerberos token is ... The kerberos Security token will try establish the security ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Kerberos to NTLM???
    ... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ...
    (microsoft.public.windows.server.networking)