In message <20020607154511.G11012@dr-evil.shagadelic.org>,
Jason R Thorpe writes:

>On Fri, Jun 07, 2002 at 05:55:18PM -0400, Ken Hornstein wrote:
>
> > One thing that comes to mind is that win2k GSSAPI generally uses SPNEGO,
> > and I believe Heimdal at that time didn't support it.
>
>No, it was definitely using Kerberos ... there was a vendor name
>string we weren't getting right at the time, as well (but I think
>I fixed that in racoon -- I can't remember right now :-)

My understanding is that win2k uses SPNEGO for authenticating CIFS
client sessions (sometimes, but not always; depends on which UI method
initiated the connection), but that the IKE exchagne is GSSAPI.

For SPNEGO, MS (and Samba-pre-3.0 "net join") seem to use ASCII for
principals, but the IKE GSSAPI exchanges use UTF-8/Unicode crap for
principal names. Dunno about the SSPI/GSSAPI-compatible example code;
I havent built the win2k SDK code, so I cannot try them against
Heimdal's nt_gss_{client,server} tests.  If only it was the other way
'round, racoon would be much happier...

BTW, on margianlly-relatred topic of win2k and GSSAPI: the docs I
found via Google all seem to say that MS's design (SSPI) supports an
extra leg of authentication, much like DCE GSSAPI; and that it can can
delegate tickets.  But (here's the rub) MS seems to use an
``ok-for-delegation'' bit (as defined in I-D?) bit in tickets to
specificy delegation, rather than the forwardable bit.  Anyone got
pointers to sample code --- even DCE sample code -- which does
delegation, and which interoperates with a Heimdal (or MIT) KDC, and
preferably their GSS libs?  (The only candiate I found was console
output from an IBM example app, but I really don't want to go beging
time on OS/390 RACF to test it :)