[36242] in Kerberos
Use of NT-ENTERPRISE name type via GSS-API
daemon@ATHENA.MIT.EDU (Alan Braggins)
Wed Jul 2 05:36:28 2014
Message-ID: <53B3D288.6000704@riverbed.com>
Date: Wed, 02 Jul 2014 10:36:08 +0100
From: Alan Braggins <alan.braggins@riverbed.com>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm using Kerberos constrained delegation (s4u2proxy)
for a proxy server that is authenticating clients to a
Microsoft Active Domain server.
I'm using GSS-API because I want to end up with a SPNEGO
Authorization header, and SPNEGO is a GSS-API mechanism.
The user (client) principals I have to work with have a
"UPN suffix" (have the format <id>@suffix) :
http://support.microsoft.com/kb/243629
http://tools.ietf.org/html/rfc6806#section-5
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/2klyzrgsGk0
says "or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL
if GSSAPI supported such a thing"
Inventing a GSS_C_NT_ENTERPRISE_PRINCIPAL OID and patching
krb5_gss_import_name to call krb5_name_parse_flags with
KRB5_PRINCIPAL_PARSE_ENTERPRISE when it's used seems to work,
but obviously it would be better if that was standard.
Or we can just escape the '@' with a '\'.
Any suggestions or recommendations?
Thanks,
Alan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
