GSSAPI Kerberos mechanism
Luke Howard
lukeh at PADL.COM
Fri Sep 6 05:33:00 GMT 2002
>I think that this document is close to defining the format of KRB5
>requests in GSSAPI/SPNEGO
Alternatively, see "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964. There may be a WG update somewhere...
-- Luke
1.1. Context Establishment Tokens
Per RFC-1508, Appendix B, the initial context establishment token
will be enclosed within framing as follows:
InitialContextToken ::=
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType
-- MechType is OBJECT IDENTIFIER
-- representing "Kerberos V5"
innerContextToken ANY DEFINED BY thisMech
-- contents mechanism-specific;
-- ASN.1 usage within innerContextToken
-- is not required
}
The innerContextToken of the initial context token will consist of a
Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
(TOK_ID) field, which shall contain the value 01 00.
The above GSS-API framing shall be applied to all tokens emitted by
the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
context-deletion, and per-message tokens, not just to the initial
token in a context establishment sequence. While not required by
RFC-1508, this enables implementations to perform enhanced error-
checking. The innerContextToken field of context establishment tokens
for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
(KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
messages and 03 00 for KRB_ERROR messages.
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical
mailing list