Hi all,

 

I'm trying to use existing Kerberos5 ticket for authentication with Web App, running on IIS 7.5.

Web application have NTLM and "Windows" authentication enabled, which shown in response as "Negotiate" and "NTLM".

 

Same time, Linux system uses LDAP+Kerberos authentication (authenticated against Active Directory), and after login I have valid Kerberos 5 ticket.

If I starting GSSAPI-supporting browser (Firefox) it automatically uses this ticket for authentication, but when I trying to use curl - it's not happens.

 

Can somebody answer - what are required command line options for CURL to use Kerneros ticket and support "Negotiate" type of auth?

And what is requirements for environment, except for having active Kerberos ticket?

 

I've tried "--krb" and "--negotiate" - but neither one of these working.

 

Curl compiled with GSSAPI (Heimdal) and fbopenssl 0.4 from latest sources (OS is SLES10, curl there is quite old and limited).

 

Output is provided below.

As I can see, curl even not trying to use Kerberos ticket (While Firefox and Samba using it successfully).

 

-- Cut --

 

user@linux:~> klist
Ticket cache: FILE:/tmp/krb5cc_43303
Default principal: user@DOMAIN.COMPANY.ORG

Valid starting     Expires            Service principal
04/15/11 17:25:29  04/16/11 00:05:29  krbtgt/DOMAIN.COMPANY.ORG@DOMAIN.COMPANY.ORG


Kerberos 4 ticket cache: /tmp/tkt43303
klist: You have no tickets cached

user@linux:~> /usr/local/bin/curl -V
curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN Largefile NTLM SSL libz

 

user@linux:~> /usr/local/bin/curl --krb --negotiate -v 'http://webapp.domain.company.org'
* About to connect() to webapp.domain.company.org port 80 (#0)
*   Trying 10.125.30.41... connected
* Connected to webapp.domain.company.org (10.125.30.41) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.6.0
> Host: webapp.domain.company.org
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/7.5
< X-AspNet-Version: 4.0.30319
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< Date: Fri, 15 Apr 2011 13:25:51 GMT
< Content-Length: 1879
<
* Ignoring the response-body
* Connection #0 to host webapp.domain.company.org left intact
* Issue another request to this URL: 'http://webapp.domain.company.org'
* Re-using existing connection! (#0) with host webapp.domain.company.org
* Connected to webapp.domain.company.org (10.125.30.41) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.6.0
> Host: webapp.domain.company.org
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/7.5
< X-AspNet-Version: 4.0.30319
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< Date: Fri, 15 Apr 2011 13:25:51 GMT
< Content-Length: 1879
<
<html>
    <head>
        <title>Access is denied.</title>
        <style>
         body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
         p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
         b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
         H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
         H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
         pre {font-family:"Lucida Console";font-size: .9em}
         .marker {font-weight: bold; color: black;text-decoration: none;}
         .version {color: gray;}
         .error {margin-bottom: 10px;}
         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

            <h2> <i>Access is denied.</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> Description: </b>An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
            <br><br>

            <b> Error message 401.2.: </b>Unauthorized: Logon failed due to server configuration. &nbsp;Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. &nbsp;Contact the Web server's administrator for additional assistance.<br><br>

            <hr width=100% size=1 color=silver>

            <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.225

            </font>

    </body>
</html>
* Connection #0 to host webapp.domain.company.org left intact
* Closing connection #0
-- Cut --

Regards,

  Alexander