Need help with GSSAPI authentication

Joseph Galbraith galb at
Thu May 12 01:43:13 EST 2005

"Simon Gales" <sgales at> said:
> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash
> shows that my tickets ARE forwardable.
> Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
> OpenSSH 4.0p1.
> I've created two AD accounts, and extracted keys mapped to
> "host/ at REALM.COM" and
> "ssh/ at REALM.COM" and installed them into
> /etc/krb5.keytab.
> I can login to the server just fine - GSSAPI-with-mic authentication works
> fine.  But when I "klist" after logging in, I have no tickets.
> So... is this supposed to work?  Should my tickets get forwarded?  If not,
> is there a patch that would make this work?
> Any help would be appreciated...  I can provide server-side debug traces
> if it'll help, but I really just need to know if tgt-forwarding is
> supposed to work in OpenSSH 4.0...

"Simon Gales" <sgales at> also said:

> After more experimentation last night, I found that:
> + Putty (with patches) can authenticate but doesn't forward the tickets.
> + SecureCRT can authenticate but doesn't forward the tickets.
> + OpenSSH works fine, using kinit to get my tickets initially.

SecureCRT does indeed support this.

You need to make sure that:

+ Your user, the server, and the client are all trusted
   for delegation in the AD domain.

   To do this go to "Manage Users and Computers in Active Domain."

   In the "Computers" part of the tree, find your Windows XP
   box, and do Properties.  On the general page, turn on the
   "Trust computer for delegation" check box.

   Do the same thing for the unix server (it may not be in the
   "Computers" part-- it will depend on where you added it.

   Also, find your username and make sure it is also enabled
   for delegation (in the users section; do properties; on the
   "Account" tab, "Account is trusted for delegation")

+ Make sure SCRT is configured for delegation (you've probably
   already done this.)  Delegation should be set to "Full" on the
   properties dialog for GSSAPI authentication.

If you do this, you should not need to use the mit kerberos stuff
at all.

As Douglas noted, you may get away w/o doing this if you use
the mit stuff (change Method: from Auto to MS Kerberos.)

If this doesn't work, turning on File / Trace Options before you
connect might help use figure out what is going on.



(PS. I don't usually follow the mailing list, so please keep
me cc'd on any responses-- presuming my post actually gets
to the mailing list; I don't know if it is open or not.)

More information about the openssh-unix-dev mailing list