I'm using Kerberos constrained delegation (s4u2proxy) for a proxy server that is authenticating clients to a Microsoft Active Domain server.
I'm using GSS-API because I want to end up with a SPNEGO Authorization header, and SPNEGO is a GSS-API mechanism. The user (client) principals I have to work with have a "UPN suffix" (have the format <id>@suffix) : http://support.microsoft.com/kb/243629 http://tools.ietf.org/html/rfc6806#section-5 https://groups.google.com/forum/#!topic/comp.protocols.kerberos/2klyzrgsGk0 says "or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL if GSSAPI supported such a thing" Inventing a GSS_C_NT_ENTERPRISE_PRINCIPAL OID and patching krb5_gss_import_name to call krb5_name_parse_flags with KRB5_PRINCIPAL_PARSE_ENTERPRISE when it's used seems to work, but obviously it would be better if that was standard. Or we can just escape the '@' with a '\'. Any suggestions or recommendations? Thanks, Alan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
