Subject Re: Trusted Authentication working with the Services API?
Author Luke Tigaris
--- In, Helen Borrie <helebor@...>
> At 10:01 AM 3/06/2008, Luke Tigaris wrote:
> >Please explain the purpose of the isc_spb_trusted_auth parameter
> >if Trusted Authentication cannot be used with the Services API.
> For the situation where trusted authentication is needed and there
> is a likelihood that the ISC_USER and ISC_PASSWORD variables are
> set, there is a new DPB parameter that you can add to the DPB—
> isc_dpb_trusted_auth.

> >Also what is the purpose of the undocumented string block required
> >by this parameter?
> I don't know about any required "undocumented string block",
> sorry. I don't know what the command-line switches resolve to in
> the DPB but I'm assuming they cause the two environment variables
> to be read and then apply the results to the username and password
> fields of the DPB structure.Hopefully Dmitry will clarify this for
> you if/when he notices this (or you could ask directly on
> firebird-devel).

I am referring to the services parameter block isc_spb_trusted_auth.
It is completely different from the database parameter tag

> I don't know if it's a factor in your problems but trusted
> authentication won't work if your OS user names pan out with a
> length exceeding Firebird's max user name length (31 characters).
> So look at the combination of domain + '\' + OS user name and see
> whether this is the issue that is interfering with your SYSDBA
> resolution.

As I said earlier trusted authentication is working just fine when
attaching to a database, so I am having no issues with user name
lengths or ISC_USER stuff.

In reading through the source code for Firebird 2.1, I believe the
isc_spb_trusted_auth string block is expecting a token from the
InitializeSecurityContext api call within the NTLM SSP in Windows.
However, the protocol code appears to fully implement the handshake
process only for the attach_database code, not the attach_service
code. I will post in firebird-devel, as this is getting a little
deep for support list perhaps.