jborean93
commented
9 months ago It’s up to the caller of pyspnego to specify the host and service to use in the token. The defaults there mean that it’s not being set. Historically this wasn’t ever an issue with NTLM as most services just ignore this value but I’ve seen some hardening policies on Windows which will actually try and verify this value which sounds like what you might be encountering.
Unfortunately there’s not much pyspnego can do here, it just generates the tokens and thus it’s the caller who needs to pass the required information to it.
alonchin
Hey @jborean93
Firstly, thanks for your excellent work on the
pyspengoproject. It's working well for the past two years with different services. However, I recently encountered an authentication failure issue when the server responded with a 500 status code on theAUTHENTICATE_MESSAGEfrom my client. Interestingly, NTLM authentication through CURL works seamlessly for the same server and credentials.Upon analyzing the parsed NTLM token from the
authenticate message, I observed a critical discrepancy in theMSV_AV_TARGET_NAMEfield which doesn't contain the proper value:In contrast, the same field in CURL's NTLM token contains a meaningful string like "HTTP/dashboard.dev.customer.com". The flags in the
AvPairsseem identical except forMSV_AV_SINGLE_HOSTandMSV_AV_CHANNEL_BINDINGS, but I don't think it could be the reason for the failure. All the restMSV_AV_NB_DOMAIN_NAME,MSV_AV_NB_COMPUTER_NAME,MSV_AV_DNS_DOMAIN_NAME,MSV_AV_DNS_COMPUTER_NAME,MSV_AV_DNS_TREE_NAME,MSV_AV_FLAGSare the same.While examining your library, I noticed that
serviceandhostnameare initialized with stringshostandunspecified. However, I couldn't find the specific location where other values are assigned to these variables. It probably keeps the default values and they are packed to the final message. Any clarification or guidance on this matter would be greatly appreciated.Thanks again for your time and the library!