Subject: Re: racoon, gss-api auth, and win2k IPSec IKE ...
To: None <,>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 06/06/2002 18:44:55
In message <200206051730.KAA26026@Pescadero.DSG.Stanford.EDU>Jonathan Stone writ

[ MS puts UTF-8/unicode strings in what should be an ASCII principal-name]
>Is there _any_ hope of getting this to work by reworking all
>the racoon-level code, to try ASCIIfying and retrying each and every
>GSSAPI call after a name-related failure?  

`Almost...''  Turns out  out there's an misfeature/bug in Heimdal:
Heimdal's gss_init_sec_context() uses a helper, init_auth(),
which leaves junk/zeros in the auth_context's keytype and cksumtype.
I dunno about MIT krb5, but win2k doesn't like that at all. 
Explicitly setting those fields to a supported type, e.g.,

    this_cred.session.keytype = 0;
+   (*context_handle)->auth_context->keytype = KEYTYPE_DES;
+   (*context_handle)->auth_context->cksumtype = CKSUMTYPE_CRC32;    

works much better.  With that, the gss-api mechanism to a WIN2K/SP2
client, and a win2k/sp2 PDC, seems to work: racoon gets as far as
computing its DH public/private pair. But I'm still not seeing
phase2, so maybe  the Windows box is unhappy with  the de-unicoded names
racoon is now sending it (or maybe I need to add unicode->ascii compaction

I'll ask Assar &c on heimdal-discuss about the Heimdal GSSAPI vs win2k
issues. Anyone else interested in poring over racoon traces?

PS: mucho thanks to Frank and Zembu for adding the GSSAPI hooks to racoon.