1

I've been trying to work out how to use GSSAPI to authenticate with an IIS server on an Active Directory domain by working through the code for tutorials from Oracle and I'm having trouble establishing a context.

The way the tutorial sends tokens is by first sending an integer, then sending the token. This works, of course, with the tutorial server, because it's expecting that. What I don't know, though, is whether this is the correct protocol for GSSAPI interaction in general?

RFC4121 section 4 and RFC2743 section 3.1 seem to suggest that there's a bit more than that (some sort of tag, then the length, but adjusted a bit, then an Oid [of the requested mechanism, I assume] and its length etc.).

Is this referring to the internal structure of the token? Or is it specific to some implementations? Or is that the protocol IIS (and, presumably, all other GSSAPI supporting servers/hosts) would follow?

Also, if it is what's meant to be followed, why would the tutorial not follow, or at least mention, that? Isn't GSS meant to be Generic? Is it normal for this to happen?

Thanks in advance :)

Community
  • 1
  • 1
dram
  • 97
  • 1
  • 8
  • 1
    Generally RFC doesn't mean it has to be that way. RFC are documents for suggesting new technology and usually don't get updated on every change of the protocoll, to my knowledge. Can you post the token? It should begin with `YII` to be a kerberos/SPNEGO token. If that's the case take a look at the link I posted in your original question of gssapi, the answer steps through the whole process of configuration to validation of the token. – Nico Dec 22 '16 at 06:53
  • 1
    The ticket in that answer and this token are slightly different, I think. That token is the kerberos Service Ticker (or something like that), while the token I've got is a GSSAPI token (I think it has a bunch of data GSSAPI uses to establish context etc.). – dram Dec 22 '16 at 07:08
  • 1
    That's still ok since you can modify the credential that gssapi will handle it as. Simply change the OID to the one that gssapi should handle it as. `final Oid spnegoOid = new Oid( "1.3.6.1.5.5.2" ); GSSManager gssmgr = GSSManager.getInstance(); GSSName serviceName = gssmgr.createName( this.spn, GSSName.NT_USER_NAME ); GSSCredential serviceCredentials = gssmgr.createCredential( serviceName, GSSCredential.INDEFINITE_LIFETIME, spnegoOid, GSSCredential.ACCEPT_ONLY );` – Nico Dec 22 '16 at 07:14
  • 1
    I just tried to encode it to Base64 and you were right, that is an spnego ticket: encoded, it's YII.....= Also, what did you mean by the above code? Should I use SPNego instead of Kerberos? – dram Dec 22 '16 at 07:19
  • 1
    Yeah use the OID for SPNEGO since the actuall kerberos token is sorrounded by an snpego token. gssapi will be able to unwrap it and have the kerberos token where you then can use `GSSContext.unwrap` and `GSSContext.verifyMIC` and all kinds of things. The answer has the layout code which you then can modify to your needs. – Nico Dec 22 '16 at 07:23
  • I've had a closer look at the network trace when I log in through chrome and it sends a HTTP GET request with a header line of Authorization: Negotiate YII..... – dram Dec 23 '16 at 01:44
  • My program, however, sends a TCP request with the length of the token and the token. This sounds like what's causing the "Invalid Verb" error (as in, it's expecting a GET or a POST, but I'm just sending TCP stuff). (btw it wouldn't let me edit my comment above, which is why this is split into two) – dram Dec 23 '16 at 01:47

0 Answers0