Previous | Table of Contents | Next |
Principal names are carried in EstablishContext messages of the SAS protocol, where they may appear in the identity_token
(the ITTPrincipalName discriminated type of an IdentityTokenType) or in the client_authentication_token, which is a GSS initial
context token.
Principal names are also present in the compound mechanisms defined within a TAG_CSI_SEC_MECH_LIST tagged component within
IORs. The target_name field of the AS_ContextSec structure may contain a sequence of principal names
corresponding to the authentication identities of the target (see “struct AS_ContextSec?
on page 24-39). A principal name may be used as one variant of the
ServiceSpecificName form used to identify one of the privilege_authorities within the SAS_ContextSec structure of a compound
mechanism definition within a
target IOR (see “struct SAS_ContextSec? on page 24-40).
The principal names appearing in initial context tokens are in mechanism-specific; that is, internal form, and may be converted
to GSS mechanism-independent exported name object format; that is, an external form by calling a mechanism-specific implementation
of GSS_Export_name. The inverse translation is performed by a mechanism-specific implementation of GSS_Import_name. A mechanism-specific
implementation of GSS_Display_name allows its caller to convert an internal name representation into a printable form with
an associated mechanism type identifier.7
The principal names in identity tokens — those in the target_name field of AS_ContextSec structures and those in the privilege_authorities
field of SAS_ContextSec structures — are in external form (GSS_NT_ExportedName), and may be converted to internal form by
calling the appropriate mechanism-specific GSS_import_name function.
Distinguished names may appear within an identity token, either as an asserted identity or indirectly as the subject distinguished
name within an asserted X.509 Identity Certificate. Distinguished names may also be derived from the underlying transport
authentication layer if client authentication is done using SSL certificates. Distinguished names may also be used as a form
of GeneralName in the GeneralNames variant of the ServiceSpecificName type. The ServiceSpecificName type is used to identify
privilege_authorities within the SAS_ContextSec structure of a compound mechanism definition within a target IOR.