Previous Table of Contents Next


24.2.4 Client Authentication Token Format


   A CSIv2 client authentication token is a mechanism-specific GSS initial context token. It contains a mechanism type identifier (an object identifier) and the mechanism-specific evidence (that is, the authenticator) required to authenticate the client.

   The following ASN.1 basic token definition describes the format of all GSSAPI initial context tokens. The definition of the inner context tokens is mechanism-specific.

   -- basic Token Format[APPLICATION 0] IMPLICIT SEQUENCE {thisMech MechType-- MechType is an Object IdentifierinnerContextToken ANY DEFINED BY thisMech-- contents mechanism specific};

   The client authentication token has been designed to accommodate the initial context token corresponding to any GSSAPI mechanism. Implementations are free to employ GSSAPI mechanisms other than those required for conformance to CSIv2, such as Kerberos.

    The format of the mechanism OID in GSS initial context tokens is defined in [IETF RFC 2743] Section 3.1, “Mechanism-Independent Token Format,? pp. 81-82.

   24.2.4.1 Username Password GSS Mechanism (GSSUP)

   This specification defines a GSSAPI mechanism to support the delivery of authentication secrets above the transport such that they may be applied by a TSS to authenticate clients at shared secret authentication systems.

   The GSSUP mechanism assumes that transport layer security, such as that provided by SSL/TLS, will be used to achieve confidentiality and trust in server, such that the contents of the initial context token do not have to be protected against exposures that occur as the result of networking.

   The object identifier allocated for the GSSUP mechanism is defined as follows:

   { iso-itu-t (2) international-organization (23) omg (130) security (1) authentication (1) gssup-mechanism (1) }

   GSSUP Initial Context Token

   For the GSSUP mechanism, only an inner context token corresponding to the initial context token is defined.

    The format of a GSSUP initial context token shall be as defined in [IETF RFC 2743] Section 3.1, “Mechanism-Independent Token Format,? pp. 81-82. This GSSToken shall contain an ASN.1 tag followed by a token length, an authentication mechanism identifier, and a CDR encapsulation containing a GSSUP inner context token as defined by the type GSSUP::InitialContextToken in Section 24.9.1, “Module GSSUP - Username/Password GSSAPI Token Formats,? on page 24-58 (and repeated below).

   // GSSUP::InitialContextToken

   struct InitialContextToken {CSI::UTF8String username;

   CSI::UTF8String password;

   CSI::GSS_NT_ExportedName target_name; };

   The target_name field of the GSSUP::InitialContextToken contains the name of the authentication domain in which the client is authenticating. This field aids the TSS in processing the authentication should the TSS support several authentication domains. A CSS shall fill the target_name field of the GSSUP::InitialContextToken with the contents of the target_name field of the CSIIOP::AS_ContextSec structure of the chosen CSI mechanism.

   The format of the name passed in the username field depends on the authentication domain. If the mechanism identifier of the target domain is GSSUP, then the format of the username shall be a Scoped-Username (with name_value ) as defined in “Scoped- Username GSS Name Form? on page 24-15.

   GSSUP Mechanism-Specific Error Token

   The GSSUP mechanism-specific error token contains a GSSUP fatal error code.

   typedef unsigned long ErrorCode;

   // GSSUP Mechanism-Specific Error Token struct ErrorToken {

   ErrorCode error_code; };

   The following fatal error codes are defined by the GSSUP mechanism:

   // The context validator has chosen not to reveal the GSSUP// specific cause of the failure.const ErrorCode GSS_UP_S_G_UNSPECIFIED = 1;

   // The user identified in the username field of the// GSSUP::InitialContextToken is unknown to the target.const ErrorCode GSS_UP_S_G_NOUSER = 2;

   // The password supplied in the GSSUP::InitialContextToken was// incorrect.const ErrorCode GSS_UP_S_G_BAD_PASSWORD = 3;

   // The target_name supplied in the GSSUP::InitialContextToken does// not match a target_name in a mechanism definition of the target.const ErrorCode GSS_UP_S_G_BAD_TARGET = 4;

   A TSS is under no obligation to return a GSSUP error token; however, returning this token may facilitate the transition of the client-side GSS state machine through error processing. Accordingly, a TSS may indicate that SAS context validation failed in GSSUP client authentication by returning a GSSUP error token in a SAS ContextError message. In this case, a TSS that chooses not to reveal specific information as to the cause of the failed GSSUP authentication shall return a status value of GSS_UP_S_G_UNSPECIFIED.