Windows API's to access kerberos cache of logon user(sample similar to klist)

Hi experts,

I have a requirement where application is running as service on windows machine and i need to get user-name from kerberos cache if the user is logged-in via kerberos.

I am able to impersonate the logon user from my service. However, i don't know how to acess kerberos cache and get the kerberos user-name from it.

I have tried looking at SSPI and LSA but i don't find much help.

In fact earlier windows had "klist" sample code 'under platform\sdk\'. Similar to this is what i need.
Please suggest me if any other method to retrieve kerberos user-name.

Thanks and regards
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You will not  be able to use - gss_acquire_creds() (This is GSSAPI specific) on your win32 box as the Win32 cred cache cannot be accesed with this call, which is specific to MIT only.

However, you need to something like -  AcquireCredentialsHandle() on Windows. This is a part of SSPI API. You could refere to the links below.  Note: That if you dont supply uesrname /pwd to this API it would read the default / users's cred cache, from there on you can obtain the user name from the credential handle. Hope this helps!!

Here it is step by step:
1. Load security.dll and get a pointer to the function table.
2. Say you want to use the NTLM package (which is the most common), so you call QuerySecurityPackageInfo() to obtain a SecPkgInfo pointer (don't forget to release it later using FreeContextBuffer()).
3. Now, think of your app as having two sides in the authentication process: a client and a server. For the server, you'll need to call AcquireCredentialsHandle() once. For the client, you need to do that, too, with a minor change: since you want to get credentials for a different user, you need to fill in a SEC_WINNT_AUTH_IDENTITY struct and pass a pointer to it to  AcquireCredentialsHandle() as the 5th parameter. Keep in mind that you should keep the struct around until your done.
4. Start the client/server conversation by successive calls to InitializeSecurityContext (for the client side) followed by AcceptSecurityContext (for the server side), passing the output buffer of one as the input buffer to the other. Note that on the first call to ISC() you'll pass NULL as the input buffer.
5. Finally, keep doing that until the client gets a return value of SEC_E_OK (assuming the auth went ok). It's important that you watch the client side, because when AcceptSecurityContext() returns SEC_E_OK, you still have to pass the client the buffer returned, so you're not really done yet.
6. Impersonate: A call to ImpersonateSecurityContext() will cause you to impersonate the security context of the user you just authenticated. Keep in mind that you call this function with the Server's context handle, not the client's. After that, you can go back to the original security context with a call toRevertSecurityContext().

Also check out some of the code samples from some of these links.

Let me know if you need more help!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.