On Thu, 8 Feb 2007 13:16:23 +0100 "Peger, Daniel Heinrich" <[EMAIL PROTECTED]> wrote:
> I've already successfully verified that the following combinations work > (both client and service running on the same Windows XP machine): > > Client Service > ------------------ > GSSAPI GSSAPI > SSPI GSSAPI > SSPI SSPI > > But if I obtain the service ticket using the GSSAPI methods and try to > accept the respective securtiy context in the service using > AcceptSecurityContext(...) from MS's SSPI, I always get > SEC_E_LOGON_DENIED as return code. AS stated above. Using the same > authentication information (username, password and realm) with SSPI's > InitializeSecurityContext(...), the resulting ticket is verified by the > test-service. > > I already tried to introduce a mapping of the kerberos user principal > ([EMAIL PROTECTED]) to a local user account (test-user) but > this didn't help either. Is the group that test-user belongs to of any > relevance? No but you said you are using a Heimdal KDC so I'm curious about what "group" you're talking about since a Heimdal KDC doesn't support groups that Windows would understand. > Is this a Microsoft incompatibility issue or is there something special > that needs to be regarded if trying to use GSSAPI together with SSPI? It should work just fine. Make sure you have the latest ticket. Otherwise get a packet capture paying particular attention to the the principal names being used. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
