gss_init_sec_context return No credentials cache found (Windows, C++)

Question

I try use gssapi32.dll in my application but I receive exception when app start

name like 'HTTP/proxy.domain.com@domain.com' I saw this name in Kerberos Ticket Tools

but I receive "No credentials cache found"

maybe anybody already has similar problem? and can help

Windows 7 (x64) MSVS C++ 2010 Express

thank you for your advice & sorry for my English

char* cHttp::getNegotiateToken(const char *service, const char *server) {
    char *token = 0;
    OM_uint32 major, minor;
    gss_buffer_desc gss_buffer;
    gss_buffer_desc gss_buffer_user;
    gss_name_t gss_name;
    gss_name_t gss_user_name;
    gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
    gss_buffer_desc gss_input_token = GSS_C_EMPTY_BUFFER;
    gss_buffer_desc gss_output_token = GSS_C_EMPTY_BUFFER;

    OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;

    static gss_OID_desc gss_krb5_mech_oid_desc =
        { 9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };


    if(!service || !server) {
        Logger.writeLogHead(llError) << "Service and server values cannot be NULL!" << EndOfLine;
        return 0;
    }

    gss_buffer.length = 28;//strln(service) + strln(server) + 2;
    gss_buffer.value = malloc(gss_buffer.length);

    gss_buffer_user.length = 26;
    gss_buffer_user.value = malloc(gss_buffer_user.length);

    Logger.writeLogHead(llError) << "service \"" << service << "\" server \"" << server << "\" length " <<  (int)gss_buffer.length << EndOfLine;

    if(!gss_buffer.value) {
        Logger.writeLogHead(llError) << "malloc failed" << EndOfLine;
        return 0;
    }

    sprintf((char *)gss_buffer.value, "%s", "HTTP/proxy.domain.com@domain.com");

    major = gss_import_name(&minor, &gss_buffer, GSS_C_NT_HOSTBASED_SERVICE, &gss_name);
    free(gss_buffer.value);

    if (major != GSS_S_COMPLETE) {
        logGssError(major, minor, "gss_import_name");
        return 0;
    }

    gss_buffer_desc out_name;

    major = gss_display_name(&minor, gss_name, &out_name, NULL);
    if (major != GSS_S_COMPLETE) {
        logGssError(major, minor, "gss_display_name");
        return 0;
    }

    Logger.writeLogHead(llWarning) << "Service name : " << (const char*)out_name.value << EndOfLine;

    major = gss_init_sec_context(
        &minor,
        GSS_C_NO_CREDENTIAL, 
        &gss_context,
        gss_name, 
        &gss_krb5_mech_oid_desc,
        req_flags,
        GSS_C_INDEFINITE,
        GSS_C_NO_CHANNEL_BINDINGS,
        &gss_input_token,
        NULL,
        &gss_output_token,
        NULL,
        NULL);

    if (major == GSS_S_NO_CRED) {
        Logger.writeLogHead(llError) << "gss_init_sec_context GSS_S_NO_CRED" << EndOfLine;
    }

    if (major != GSS_S_COMPLETE) {
        logGssError(major, minor, "gss_init_sec_context");
        return 0;
    }

    if (gss_output_token.length == 0) {
        Logger.writeLogHead(llError) << "Token don't need to be send." << EndOfLine;
        return 0;
    } 

    // TODO: Need to make SPNEGO token (spnegohelp)
    token = base64_encode((const char *)gss_output_token.value, gss_output_token.length);

    major = gss_delete_sec_context(&minor, &gss_context, GSS_C_NO_BUFFER);
    if (major != GSS_S_COMPLETE) {
        logGssError(major, minor, "gss_delete_sec_context");
        return 0;
    }

    major = gss_release_name(&minor,&gss_name);
    if (major != GSS_S_COMPLETE) {
        logGssError(major, minor, "gss_release_name");
        return 0;
    }

    return token;
}

-- edited thank you friend - I think that I will go on proposed way

Answer 1

In my case need using spnego mechanism instead of gss_krb5_mech_oid_desc

static gss_OID_desc gss_spnego_mech_oid_desc =
        { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
        //{ 9, (void*) "\x06\x06\x2b\x06\x01\x05\x05\x02\xa0" };

gss_OID mMechOID;

mMechOID = &gss_krb5_mech_oid_desc;

Answer 2

Do you really need the GSS-API under Windows? You should rather use SSPI. The GSS-API does not have direct access to the ticket cache in memory. Check my answer here.