Hi Krb Dev's, I am writing a proxy for SQL Server, where in I want to also authenticate the clients that want to connect using Kerberos. The proxy server sits in between the client and the sql server, and authenticates requests of the following types currently 1.NTLM 2. SQL Authentication.
The AP_REQ the client send is wrapped in TDS -> GSS-API -> AP_REQ using the KRB5 mechanism. I was able to successfully accept the AP_REQ the client send if not in SPNEGO. The problem that I am facing is 2 folds 1. SPNEGO wrapped Kerberos AP_REQ's are not being accepted using gss_accept_sec_context() 2. S4U2Proxy generated AP_REQ sent to the SQL Server results in an error with the message being (The login is from an untrusted domain.) Looking into the kerberos logs, I was able to successfully get S4u2Self and S4u2Proxy done, but I hit the second issue while sending the AP_REQ to the SQL Server. I verified the AP_REQ generated by gss_init_sec_context(with_delegated_creds and impersonation_context) by sending it to my proxy again, and was able to extract all the information needed to authenticate. Was there a change in KRB5-1.14.4 where SPNEGO cannot be decoded by gss_accept_sec_context(), since I was able to get the flags requested by the client but then got the GSS_BAD_TOKEN error code. Any pointers or help regarding the protocol transition and constrained delegation using MIT KRB5 will really be helpful, I am currently using the t_s4u.c and s4u2proxy.c as my guides to develop this layer. ----------------------------- Regards, Tapas Sharma ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
