I have a Linux server application that is using Kerberos for c开发者_开发问答lient authentication and client that needs to run on Windows. Kerberos tickets are issued by Windows Active Directory. Client authenticates successfully on server if I use MIT KfW 3.2.2. API for retrieving AS and TGS tickets from Kerberos server and store them in kerberos credentials store. But the problem with this approach is that user needs to input his credentials again. The solution would be to access MS LSA store but this does not work. Neither does ms2mit.exe application. It does not matter if I run it as normal user or as administrator, or if I disable UAC completely. This is why I would like to use SSPI on client to make the KRB_AP_REQ message which I would send to server. Is that possible. If yes how can it be done? IF no, what are my other options? Please note that server is already built and it would require significant effort to change it, therefore I would like to find a solution on windows.
You can use the AquireCredentialsHandle and InitializeSecurityContext functions of the windows SSPI subsystem to get a valid ticket and authenticate against a Linux based server.
First use AcquireCredentialsHandle()
and than use multiple calls to InitializeSecurityContext
with the tokens you get from your server until your authenticated.
精彩评论