spnego sspi delegation [windows 7]
Date: Wed, 3 Jul 2019 12:56:09 +0000
I have a problem with curl lib in window which I have managed to quick fix it but I would need some further insight from experts.
I am using curllib (or curl command) with --negotiate authentication on Windows and "--delegation always" (or policy) parameter. We use Kerberos authentication for what I know.
The server I connect to will forward the request to a back end system and my credential must be provided to be authorized. In Linux seems to work out of the box but in windows I had always had an error like
"Could not impersonate INTRANET\XXXX as authentication token was not provided".
The ticket stored in my box for the server I connect to includes the following attribute
Ticket Flags -> forwardable renewable pre_authent ok_as_delegate
I have managed to make it work via adding the flag ISC_REQ_DELEGATE to the call in spnego_sspi.c (around line 250)
nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
chlg ? nego->context :
ISC_REQ_DELEGATE | ISC_REQ_CONFIDENTIALITY, // <== CODE CHANGE added flag ISC_REQ_DELEGATE
chlg ? &chlg_desc : NULL,
Now what I wanted to do is to handle the parameter --delegation properly.
First of all I wound need to see in the security package support DELEGATION. Hence I have checked if the
nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
unsigned long isc_flags = ISC_REQ_CONFIDENTIALITY;
if (SecurityPackage->fCapabilities & SECPKG_FLAG_DELEGATION)
if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG)
isc_flags |= ISC_REQ_DELEGATE;
else if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
// error not supported ???
Of course is not a gssapi_delegation but I assume sspi should mimic the gssapi interface/functionality so we could in theory use the same flag.
Question 1: Is there a way to force the delegation using sspi ? or CURLGSSAPI_DELEGATION_FLAG is not supported e.g. there is no way to force if the Active directory does not allow it?
Question 2: When I Iook at the fCapability flags in the SecurityPackage structure for the loaded package (secur32) I have the info below back (which I have pretty printed). The SECPKG_FLAG_DELEGATION is false so I am a bit puzzled. I can make it work but the library tells me the delegation is not supported.
Now my knowledge in here is very limited.
If I want to reuse the delegation option what flag do I need to check to know If this functionality is supported ? If It is GSS COMPATIBLE ?
Thanks for any help you could provide.
Security Package: Negotiate
Security Package supported flags: 83bb3
Comment: Microsoft Package Negotiator
NOT SUPPORTED [SECPKG_FLAG_TOKEN_ONLY]
NOT SUPPORTED [SECPKG_FLAG_DATAGRAM]
NOT SUPPORTED [SECPKG_FLAG_CLIENT_ONLY]
NOT SUPPORTED [SECPKG_FLAG_STREAM]
NOT SUPPORTED [SECPKG_FLAG_ASCII_BUFFERS]
NOT SUPPORTED [SECPKG_FLAG_FRAGMENT]
NOT SUPPORTED [SECPKG_FLAG_MUTUAL_AUTH]
NOT SUPPORTED [SECPKG_FLAG_DELEGATION]
NOT SUPPORTED [SECPKG_FLAG_READONLY_WITH_CHECKSUM]
NOT SUPPORTED [SECPKG_FLAG_NEGO_EXTENDER]
NOT SUPPORTED [SECPKG_FLAG_NEGOTIABLE2]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_PASSTHROUGH]
NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_CHECKS]
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority.
Received on 2019-07-03