kerberos SSO support

[keith6014]

Would be great if we can integrate SSO with https://github.com/jcmturner/gokrb5. I can contribute if you give me some guidelines on the authentication protocol. This would be a great feature.

[kardianos]

Main point will be to put the capability in another package that can be optionally imported and registered.

Otherwise for auth protocol you can lookup on the mdn docs the TDS protocol and correct authentication portion.

[keith6014]

Thanks for the prompt reply!

I noticed we have NTLM support now but only for windows. Majority of my userbase is on Linux and Solaris.

So, I was trying to find a way for authentication.

How hard would it be to do a Generic kerberos client ?

Also why a separate package? Would be great if it was all in a single package. Is it because of supporting / testing? I can understand that.

If you give me some guide lines I can write up a wiki page for you on how I did kerberos for *Nix and MSSQL server :-)

[kardianos]

I don't know how hard, but if you want to just look for the current NTLM hooks and try to sub in another client, that sounds great to me.

[keith6014]

I am looking for the NTLM hooks. But couldn't really find anything. I am guessing, I need to wrap this call, OpenConnector?

Any guidance would be helpful.

[keith6014]

any ideas? any guidance would be helpful.

[denisenkom]

MSSQL does support Kerberos authentication, you should look into SPNEGO authentication: https://msdn.microsoft.com/en-us/library/dd340959.aspx

[keith6014]

I know it supports it because we are using it in Java.

I was thinking, instead of sending Login Header, I send SPNEGO negotiation packet which I am able to create. I am creating the packet from gokrb5 so it will be OS agnostic.

I see your login header is being created by this spec, login7 -- https://msdn.microsoft.com/en-us/library/dd304019.aspx

questions 1) Would I still need to use Login7, it seems its a generic interface for authentication or do I use something completely different? 2) Presumably, I still use Login7 where would I stuff SPNEGO negotation in the header. Would I use FEATUREEXTACK (https://msdn.microsoft.com/en-us/library/jj906481.aspx)? Does that sound right?

[keith6014]

any ideas?

[denisenkom]

You would need to send Login7 request and then do SPNEGO handshake. To enable SPNEGO you should set SSPI fields in Login7 structure (search for SSPI on this page: https://msdn.microsoft.com/en-us/library/dd304019.aspx). Format for SSPI packet is described here: https://msdn.microsoft.com/en-us/library/dd303223.aspx. SSPI allows you to do Kerberos or NTLM authentication. For NTLM authentication I have an implementation in Python which can provide some clues on how to implement Kerberos. SSPI packet parser and generator is implemented here: https://github.com/denisenkom/pytds/blob/master/src/pytds/login.py#L93. In here https://github.com/denisenkom/pytds/blob/master/src/pytds/tds.py#L1384 it is injected into LOGIN7 packet. And here subsequent packets are processed: https://github.com/denisenkom/pytds/blob/master/src/pytds/tds.py#L813

For your second question, no, I don't think FEATUREEXTACK is needed for Kerberos authentication.

[keith6014]

due to time restrictions, i can't work on it at the moment. but thanks for the help. i will work with the gokrb5 author to get a native implementation so we don't need a seperate NTLM auth scheme.

[keith6014]

seems this is a tough request. gokrb5 authors and i are confused on how to implement this. maybe this should be tagged as a feature request and have someone internally look thru this?

[keith6014]

hey @denisenkom

Is this something you can help me with? I am avaliable for testing but I am afraid I am not that good with go to implement the details you suggested.

[denisenkom]

Hi, yes, I will let you know when I would have something ready for testing.

[denisenkom]

To start I would need example packets that are being exchanged when Kerberos authentication is used. You can provide that data using Wireshark when you use Java version of TDS driver. That would help me in determining how to package Kerberos packages properly.

[thda]

The java driver for sql server implements kerberos there: https://github.com/Microsoft/mssql-jdbc/blob/dev/src/main/java/com/microsoft/sqlserver/jdbc/KerbAuthentication.java

[keith6014]

i recently left the company I was working on this stuff. The author of gokrb5 (https://github.com/jcmturner/gokrb5) is a great resource. That person is willing to help. https://github.com/jcmturner/gokrb5/issues/125

I will be on travel for the next few weeks. If someone is able to help in the meantime, please don't be shy

[keith6014]

@denisenkom any thoughts from @jcmturner comments? https://github.com/jcmturner/gokrb5/issues/125

[denisenkom]

I've added Kerberos support to pytds recently: https://github.com/denisenkom/pytds/pull/103/files So if somebody wants to add it into go-mssqldb driver and have means to test it, then that would be a good starting point.

[keith6014]

i can test it, just not sure i can add it :-)

[keith6014]

Any word on this feature?

[shandets]

Any updates or ETAs on Kerberos support for go-mssqldb?

[florspag]

Hi @denisenkom any news on the support of kerberos go-mssqldb ? Thanks in advance

[fenngineering]

Is there any updates on kerberos go-mssqldb? Thanks

[trunin]

Is there any updates on kerberos go-mssqldb?