jason
2011-11-23 08:08:43 UTC
I am trying to extract group membership information from a Kerberos
ticket generated on windows2008r2.
In this URL:
http://www.cs.wustl.edu/~jain/cse571-07/ftp/gss-api/index.html
I found the following statement:
Kerberos is also looking into mechanisms to include group membership
information in Kerberos authorization data. Although it would be
favorable to include group names into ACLs, GSS-API currently does not
have a mechanism to support this.
It seems Microsoft has extended Kerberos to include group membership
based on this URL:
http://msdn.microsoft.com/en-us/library/ms817918.aspx:
The Kerberos Authentication Group Membership Extensions extend the
Kerberos Authentication Network Service (version 5) specification to
support interactive logon authentication and group membership
information for the Microsoft Windows operating system. Extensions
include the Privilege Access Certificate (PAC) structure, located in
the authorization data field of the Kerberos v5 ticket.
That URL references a field (Authorization Data) in the ticket that I
cannot determine how to access using this API:
http://docs.oracle.com/javase/6/docs/api/org/ietf/jgss/GSSContext.html
My hope is that you can tell me how to get access to that field.
Or perhaps guidance on how to extract the group information from a
Kerberos Ticket Generated on Windows2008r2.
I am writing in Java, but would also be willing to write in C. The
logic to extract the group information from the ticket is running on
UNIX despite using windows as the kerberos server.
Thank you for any help you can give me!
ticket generated on windows2008r2.
In this URL:
http://www.cs.wustl.edu/~jain/cse571-07/ftp/gss-api/index.html
I found the following statement:
Kerberos is also looking into mechanisms to include group membership
information in Kerberos authorization data. Although it would be
favorable to include group names into ACLs, GSS-API currently does not
have a mechanism to support this.
It seems Microsoft has extended Kerberos to include group membership
based on this URL:
http://msdn.microsoft.com/en-us/library/ms817918.aspx:
The Kerberos Authentication Group Membership Extensions extend the
Kerberos Authentication Network Service (version 5) specification to
support interactive logon authentication and group membership
information for the Microsoft Windows operating system. Extensions
include the Privilege Access Certificate (PAC) structure, located in
the authorization data field of the Kerberos v5 ticket.
That URL references a field (Authorization Data) in the ticket that I
cannot determine how to access using this API:
http://docs.oracle.com/javase/6/docs/api/org/ietf/jgss/GSSContext.html
My hope is that you can tell me how to get access to that field.
Or perhaps guidance on how to extract the group information from a
Kerberos Ticket Generated on Windows2008r2.
I am writing in Java, but would also be willing to write in C. The
logic to extract the group information from the ticket is running on
UNIX despite using windows as the kerberos server.
Thank you for any help you can give me!