search

alexbrainman / sspi

Windows SSPI
BSD 3-Clause "New" or "Revised" License
84 stars 27 forks source link

Kerberos Support #1

Closed enj closed 6 years ago

enj commented 7 years ago

@alexbrainman Could you point me to some documentation and/or links that could help me implement Kerberos support in Go on Windows using this library (something like https://github.com/alexbrainman/sspi/blob/master/ntlm/http_test.go)?

alexbrainman commented 7 years ago

help me implement Kerberos support in Go on Windows

Microsoft provides different SSP providers

https://msdn.microsoft.com/en-us/library/windows/desktop/aa380502(v=vs.85).aspx

You should be able to start with my sspi/ntlm package and change some code to implement Kerberos. In fact I have (as far as I remember) implemented Negotiate provider (it is NTLM + Kerberos) in one of my projects, and it worked. I will try and cleanup my code and publish some code when I have free time. But you should have a go - it should not be hard.

Alex

alexbrainman commented 7 years ago

I have (as far as I remember) implemented Negotiate provider (it is NTLM + Kerberos) in one of my projects, and it worked.

Here 05f0258 are my changes.

Alex

enj commented 7 years ago

Thanks I will try this out and let you know :smile:

bbigras commented 7 years ago

@enj did you test it?

enj commented 7 years ago

@brunoqc I have a WIP PR https://github.com/openshift/origin/pull/11371

There are still some bugs to take care of in my code and in this library. But for the most part everything works as expected. This did not work with the runas command.

trung commented 6 years ago

Extended Protection for Authnetication (EPA) was introduced in Windows 7/WS2008R2 to thwart reflection attacks. This blog describes the changes in the implementation of NTLM Authentication that are needed to successfully authenticate to servers that have EPA enabled. Windows 7/WS 2008R2 and Windows 8/ WS2012 have EPA enabled out of the box.

When channel binding/extended protection for authentication (here and here) is enabled. There needs an extra step to obtain server certificate and encode it in the input buffer before sending to InitializeSecurityContext. I copied the implementation from Python Library and made it work.

Will get an PR raise for review

enj commented 6 years ago

I am going to close this since it appears to be working for me (even with runas). I will open issues or PRs if I encounter bugs after the code has seen more real world use.

openshift/origin#11371

alexbrainman commented 6 years ago

I am going to close this since it appears to be working for me (even with runas).

Glad to hear that.

I will open issues or PRs if I encounter bugs after the code has seen more real world use.

SGTM

Alex