0

I’m trying to access active directory in our server using Kerberos(GSSAPI). Firstly try current windows user, if refused, user can input new one. Most of the documents mentioned Kerberos can authorize without password (current user),but little about login with a new user. In other soft (e.g. IE) When current user is not accepted, they request me to input a new user/pass. But I got few information about how to imply that.

  1. In Kerberos ,What is the difference between “new user login with password” and “share authority between two links” ? My goal is to let user input username/password and login AD with Kerberos, if current user is not accepted.(in c++)
  2. The linkage between SSPI and GSSAPI seems to be a huge problem , I searched stackoverflow/google and got about 5-8 quistions/docs ,but none of them seems to help.(I will put links later)

here:ldap_sasl_bind_s(GSSAPI) - What should be provided in the credentials BERVAL structure

What I have tried:

  1. About logging with new user/pass, I got no directions.

  2. About logging with current user (through SSPI), I blocked in the last step - return the 4 byte auth-Id. No idea what to return. Trying to write 0 or other random number, encrypted and send to server, it just refused.

wwc
  • 101
  • 6
  • 1
    _"logging with new user/pass"_ > you can invoke `kinit` utility, which stores the user TGT in a cache, then your LDAP connector can build the service ticket from that TGT. A bit ugly but many stacks rely on `kinit` for edge cases (e.g. Java does not support renewable tickets natively) – Samson Scharfrichter Sep 02 '19 at 08:16
  • _"logging with current user"_ > on Windows, that usually means SSO (Single Sign-On) i.e. retrieving the existing AD credentials (TGT and possibly service ticket) from the ISA cache (that cache type is specific to Windows, open by default on workstations and locked by default on servers) – Samson Scharfrichter Sep 02 '19 at 08:22

0 Answers0