FirebirdSQL / firebird

Firebird server, client and tools
https://firebirdsql.org
1.26k stars 217 forks source link

Win_sspi plugin uses NTLM #8256

Closed milk37 closed 1 month ago

milk37 commented 2 months ago

AuthSspi.cpp makes a call to AcquireCredentialsHandle in the ctor of class AuthSspi (line 112) with the security package hard-coded as "NTLM".

Consider changing this to "Negotiate" to allow Kerberos to be tried initially, falling back to NTLM if Kerberos is not available.

Also note that MS is looking to disabling NTLM in Windows 11 in the future, for info: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848

hvlad commented 2 months ago

Reopened due to failed QA test for #6204

hvlad commented 2 months ago

Must note that this change introduced incompatibility between "Negotiate" client and "NTLM" server. AcceptSecurityContext() within "NTLM" server returns SEC_E_INVALID_TOKEN when handling data from "Negotiate" client. Other direction ("Negotiate" server and "NTLM" client) works OK.

hvlad commented 2 months ago

This is documented restriction, see https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate:

A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.

hvlad commented 1 month ago

This ticket will never be closed ;) Re-open due to found problem when WireCrypt is disabled on server