0

I have a C# client based on SSPI and Java server based on GSSAPI. The flow communication flow is as below.

  1. Client creates TGT
  2. Client passes TGT to server
  3. Server uses the TGT and generates server token
  4. Server passes the server token to client
  5. Client uses that server token and generates the SGT

My communication flow breaks from the 6th step.

SSPI client failed to validate the server token with the error "Failed to invoke InitializeSecurityContext for a client. The specified principle is not known in the authentication system."

Seems like the SPN use in Java side can not be recognized by the C# SSPI. According to this link there is a windows compatible SPN name format. My spn which is used in Java side is as below.

HTTP/myserver-domain.com@test.local where test.local is the realm name. Any suggestion would be a great help.

Thanks

Sanjeev
  • 9,741
  • 2
  • 19
  • 33
Hasanthi
  • 1,081
  • 1
  • 12
  • 23
  • The desribed flow is incorrect. It does not work like that. The client does not create a TGT, the system does. The client doesn't send the TGT, it sends a service ticket. Rather than describing technical steps, describe what you want to achieve. It will be easier to give you an advice. – Michael-O Jun 22 '16 at 06:22
  • Hi, Thanks. I could resolve the problem. The SPN which I used for the server was not windows compatible. Once I change it I could solve the problem. Regarding the steps, before sending the service ticket, first the client sends client token to the server asking the server to identify client right? I referred this client token as the TGT. – Hasanthi Jun 22 '16 at 08:14
  • Not exactly, the client sends the service ticket to the target server and may ask the server to authenticate too (mutual auth). The client token is *not* the TGT. Sharing the TGT is dangerous because you reveal your identity for 10 hours. – Michael-O Jun 22 '16 at 11:49

0 Answers0