Windows API's to access kerberos cache of logon user(sample similar to klist)

Hi experts,

I have a requirement where application is running as service on windows machine and i need to get user-name from kerberos cache if the user is logged-in via kerberos.

I am able to impersonate the logon user from my service. However, i don't know how to acess kerberos cache and get the kerberos user-name from it.

I have tried looking at SSPI and LSA but i don't find much help.

In fact earlier windows had "klist" sample code 'under platform\sdk\'. Similar to this is what i need.
Please suggest me if any other method to retrieve kerberos user-name.

Thanks and regards
Who is Participating?
askbConnect With a Mentor Commented:
You will not  be able to use - gss_acquire_creds() (This is GSSAPI specific) on your win32 box as the Win32 cred cache cannot be accesed with this call, which is specific to MIT only.

However, you need to something like -  AcquireCredentialsHandle() on Windows. This is a part of SSPI API. You could refere to the links below.  Note: That if you dont supply uesrname /pwd to this API it would read the default / users's cred cache, from there on you can obtain the user name from the credential handle. Hope this helps!!

Here it is step by step:
1. Load security.dll and get a pointer to the function table.
2. Say you want to use the NTLM package (which is the most common), so you call QuerySecurityPackageInfo() to obtain a SecPkgInfo pointer (don't forget to release it later using FreeContextBuffer()).
3. Now, think of your app as having two sides in the authentication process: a client and a server. For the server, you'll need to call AcquireCredentialsHandle() once. For the client, you need to do that, too, with a minor change: since you want to get credentials for a different user, you need to fill in a SEC_WINNT_AUTH_IDENTITY struct and pass a pointer to it to  AcquireCredentialsHandle() as the 5th parameter. Keep in mind that you should keep the struct around until your done.
4. Start the client/server conversation by successive calls to InitializeSecurityContext (for the client side) followed by AcceptSecurityContext (for the server side), passing the output buffer of one as the input buffer to the other. Note that on the first call to ISC() you'll pass NULL as the input buffer.
5. Finally, keep doing that until the client gets a return value of SEC_E_OK (assuming the auth went ok). It's important that you watch the client side, because when AcceptSecurityContext() returns SEC_E_OK, you still have to pass the client the buffer returned, so you're not really done yet.
6. Impersonate: A call to ImpersonateSecurityContext() will cause you to impersonate the security context of the user you just authenticated. Keep in mind that you call this function with the Server's context handle, not the client's. After that, you can go back to the original security context with a call toRevertSecurityContext().

Also check out some of the code samples from some of these links.

Let me know if you need more help!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.