FirebirdSQL / firebird

Firebird server, client and tools
https://www.firebirdsql.org/
1.25k stars 216 forks source link

Win_sspi plugin uses NTLM #8256

Closed milk37 closed 1 month ago

milk37 commented 1 month ago

AuthSspi.cpp makes a call to AcquireCredentialsHandle in the ctor of class AuthSspi (line 112) with the security package hard-coded as "NTLM".

Consider changing this to "Negotiate" to allow Kerberos to be tried initially, falling back to NTLM if Kerberos is not available.

Also note that MS is looking to disabling NTLM in Windows 11 in the future, for info: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848

hvlad commented 1 month ago

Reopened due to failed QA test for #6204

hvlad commented 1 month ago

Must note that this change introduced incompatibility between "Negotiate" client and "NTLM" server. AcceptSecurityContext() within "NTLM" server returns SEC_E_INVALID_TOKEN when handling data from "Negotiate" client. Other direction ("Negotiate" server and "NTLM" client) works OK.

hvlad commented 1 month ago

This is documented restriction, see https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate:

A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.

hvlad commented 1 month ago

This ticket will never be closed ;) Re-open due to found problem when WireCrypt is disabled on server