GSSAPI Properties Dialog

SecureCRT


The GSSAPI Properties dialog can be accessed by clicking on the Properties button in the Authentication group of the Connection/SSH1, SSH2, or Telnet category of the Session Options dialog when GSSAPI is the specified authentication method.

GSSAPI (Generic Security Services Application Program Interface) is a generic API for performing client/server authentication. GSSAPI allows SecureCRT to authenticate with a server without knowing anything about the specific authentication mechanism in use.

Method

SecureCRT supports the following types of GSSAPI provider:

·    MS Kerberos - In order to use this provider, SecureCRT must be running on Windows 2000 or newer.  The Windows 2000 computer must have been configured as part of an Active Directory domain or been configured to participate in a Kerberos realm.

·    GSSAPI - In order to use this provider, you must have a Gssapi32.dll file provided by a third party (e.g., the MIT Kerberos distribution).  This third-party application must be configured correctly for your environment.  

·    Auto Detect - This setting instructs SecureCRT to attempt to automatically determine which of the above two methods will work with the server that you are connecting to.  This is the recommended setting.

Delegation

When SecureCRT authenticates with GSSAPI, it can control whether or not the server is allowed to access other secured resources (such as network file servers) without further prompting for credentials.  SecureCRT supports the following delegation settings:

·    Full - If this delegation is selected and the GSSAPI mechanism both supports delegation and is configured to allow delegation, the server may be able to access other secured resources without prompting for credentials.

·    None -  If this delegation is selected, the server may have to prompt for further authentication in order to access secured resources such as network files, printers, or to log on to a different server.

·    Limited - This delegation is the same as Full delegation for the MS Kerberos method.  If the GSSAPI method is in use, it's meaning is determined by the Gssapi32.dll in use.

<< Advanced

Pressing this button expands (or contracts) the GSSAPI Properties dialog to display (or hide) the following options.

SPN (Server Principal Name)

When authenticating with GSSAPI, SecureCRT must determine the canonical name of a server. The server has exactly one canonical name, which no other server can share. The server may have other names, for example, the server 192.168.20.1 may be known as mail.mydomain.com, mydomain.com and mail, but it has only one canonical name, mail.mydomain.com.

SecureCRT uses this canonical name to form a Server Principal Name (SPN), which the GSSAPI provider uses to identify the server with which it should authenticate.

SecureCRT usually uses the host variable (HOST) to determine the server SPN. However, this depends on hostname lookups working correctly. If this does not work correctly, this behavior can be overridden by manually specifying the SPN.

Manually specify the SPN (default is host@$(HOST))

Checking this box will enable the SPN text box below and manually specify the SPN.

SPN

Enter the SPN string. The string is almost always of the form host@<server canonical name>. An example of a valid string is "[email protected]". SecureCRT will make the following variable substitutions in the specified SPN name:

·    $(HOST) - the hostname as specified in the Session Options/Connection/SSH2 category.

·    $(PORT) - the port as specified in the Session Options/Connection/SSH2 category

If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., [email protected]@KRBS.MYDOMAIN.COM.