Microsoft KB Archive/274062

= Windows 2000-Based Clients Cannot Use GSSAPI to Delegate to Kerberos Servers =

Article ID: 274062

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q274062



SYMPTOMS
When you use Kerberos delegation and the program that is requesting the delegation uses Generic Security Services Application Programming Interface (GSSAPI) instead of Microsoft Security Support Provider Interface (SSPI) to request the session ticket, the GSSAPI delegate does not work.



CAUSE
This problem can occur because there is a size computation problem in the Windows 2000 code which causes GSSAPI interoperability to be broken for MIT clients. Therefore, if a Kerberos delegation is made to an MIT Kerberos server, the delegation does not work.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



WORKAROUND
To work around this problem, apply the following patch to the MIT Kerberos source distribution: *** accept_sec_context.c.orig  Thu Aug 31 12:27:45 2000 --- accept_sec_context.c       Thu Aug 31 12:28:21 2000
 * 502,508 ****
 * 502,508 ****

i = authdat->checksum->length - 24;

!         while(i>0) {

TREAD_INT16(ptr, option_id, bigend);

--- 515,521

i = authdat->checksum->length - 24;

!         while(i>4/*0*/) {    /* Win2000 bug */

TREAD_INT16(ptr, option_id, bigend);



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
When you use Kerberos delegation, a service or program on one server can access the services or program on another server on behalf of the original user. This is accomplished by passing the user's Ticket Granting Ticket (TGT) to a Key Distribution Center (KDC) and requesting tickets from the server that is hosting the service or program.

For additional information about GSSAPI, click the article number below to view the article in the Microsoft Knowledge Base:

266080 Answers to Frequently Asked Kerberos Questions

Keywords: kbbug kbfix kbwin2000presp2fix KB274062

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.