Discussion:
Miscellaneous failure:Matching credential not found
eswars
2007-09-18 14:40:11 UTC
Permalink
Hi,



In my application I am trying to get default windows login credentials from
"MSLSA: "cache and storing into Kerberos default cache (for example:
FILE:C:\krb5cc).using this cache file I am trying to generate service ticket
for particular user which can be used to mutually authenticate against
another user (Server user).

This scenario is working in all the English OS. If I try to import from
"MSLSA:" to FILE:C:\krb5cc in Chinese OS I am able to import into file
successfully. When I try to generate service ticket using
gss_init_sec_context () it is failed with following error.

gss_init_sec_context () failed: Miscellaneous failure: Matching credential
not found.



Even leash also not able to show those cache data (FILE:C:\krb5cc) properly.

Is there any other way I can do this. I can get token and generate service
ticket without importing into local cache.



Please help me in advance.



Thanks && Regards,

Eswar s



****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
Jeffrey Altman
2007-09-18 19:03:05 UTC
Permalink
Post by eswars
Hi,
In my application I am trying to get default windows login credentials from
FILE:C:\krb5cc).using this cache file I am trying to generate service ticket
for particular user which can be used to mutually authenticate against
another user (Server user).
This scenario is working in all the English OS. If I try to import from
"MSLSA:" to FILE:C:\krb5cc in Chinese OS I am able to import into file
successfully. When I try to generate service ticket using
gss_init_sec_context () it is failed with following error.
What is the principal name you are attempting to match?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070918/86f4017d/attachment.bin
eswars
2007-09-19 07:31:45 UTC
Permalink
Hi,
Post by eswars
In my application I am trying to get default windows login credentials
from
Post by eswars
FILE:C:\krb5cc).using this cache file I am trying to generate service
ticket
Post by eswars
for particular user which can be used to mutually authenticate against
another user (Server user).
This scenario is working in all the English OS. If I try to import from
"MSLSA:" to FILE:C:\krb5cc in Chinese OS I am able to import into file
successfully. When I try to generate service ticket using
gss_init_sec_context () it is failed with following error.
What is the principal name you are attempting to match?

I am trying to use server username (ex: test at MYDOMAIN.COM) to generate
service ticket through which i can mutually authenticate with Server.

This is working fine in all English Windows OS.Here what I am doing is
ms2mit code I am using to get default windows logon user ticket to be cache
to MIT file cache. When ever gss_init_sec_context() try to use that default
cache to generate service ticket i got error "miscellaneous failure:
Matching credential not found".

Even in the leash not able to show the Username properly. It shows something
in Chinese (some garbage).

I feel there is problem in writing ticket to cache file. If I do kinit with
password and try for service ticket with gss_init_sec_context () it is fine
even in Chinese OS.





****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
Jeffrey Altman
2007-09-19 12:48:18 UTC
Permalink
Post by eswars
I am trying to use server username (ex: test at MYDOMAIN.COM) to generate
service ticket through which i can mutually authenticate with Server.
This is working fine in all English Windows OS.Here what I am doing is
ms2mit code I am using to get default windows logon user ticket to be cache
to MIT file cache. When ever gss_init_sec_context() try to use that default
Matching credential not found".
Even in the leash not able to show the Username properly. It shows something
in Chinese (some garbage).
I feel there is problem in writing ticket to cache file. If I do kinit with
password and try for service ticket with gss_init_sec_context () it is fine
even in Chinese OS.
I suspect the problem is character set related. The Kerberos protocol
as currently specified
in RFC4120 only supports US.ASCII. Microsoft bent the rules to support
UNICODE and can
do so in their API because internally all string data is stored as UNICODE.

MIT Kerberos stores all string data as "C" language strings. (A
sequence of single byte characters
followed by a terminating NUL.) When the MSLSA ccache is used, it
translates all strings from
Unicode to the local system's ANSI character set. However, there is a
trick used. Unless MIT
Kerberos is attempting to actually use the ticket, the MSLSA ccache
routines do not actually
read the ticket and therefore it limits the potential opportunity for
damage.

When you copy tickets from the MSLSA to FILE ccaches, the entire ticket
must be copied and
all strings translated. My guess is that the damage is occurring not in
the FILE ccache but in the
Unicode to ANSI translation that takes place as part of the export.

This would best be verified using the Microsoft Debugging Tools for
Windows in combination
with the Debugging Symbols that ship with KFW and the matching source
code for the version
you are using.

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070919/28362a8c/attachment.bin
eswars
2007-09-20 09:27:00 UTC
Permalink
Hi,

I was using 2.6.5 leash binaries. I updated to 3.2 leash binaries, now it is
working fine, I was also thinking this problem is related to Unicode and
ANSI.I think latest release fixed this problem. I found this solution by
executing both the leash releases in same Chinese machine.
So 2.6.5 was showing some garbage name and latest release showing it
properly.

Thank you. Please suggest if I am any thing wrong.


Thanks and regards,
Eswar S

****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!

Loading...