Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

General questions and examples  of  SPNEGO over REST via C#, Java, Python ?

Posted on 2014-12-14
3
Medium Priority
?
895 Views
Last Modified: 2016-05-08
I am connecting to a web application that is integrated with Active Directory. The application allows  for  REST operations via SPNEGO.

My understanding is that I should be able to make a REST call using GSSAPI/SPNEGO. First a general question.  My understanding is that the process works like this.

1) User logs into their computer and gets a TGT which is stored somewhere off in memory (I'm a little fuzzy on this, I believe this is how KERBEROS works, and I'm hoping SPNEGO assumes the same)
2) Client tries to make some request like a GET or PUT
3) Website respondes with unauthorized 401 response with an WWW-AUTHENTICATION : NEGOTIATE header.
4) Client responded with a second GET or PUT request adding a Authenticate: NEGOTIATE %token string%
5) Request succeeded and client get proper response


My questions are:
1) Is the above understanding correct?
2) If my goal is to only get the %token string% How would i retrieve that string value to add to the Authenticate: Negotiate header?
    1) In C#/.NET
    2) In Python
    3) In Java
0
Comment
Question by:techrage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40500133
First off it is good to under Kerberos, the primer has good use case to run through (see "Kerberos Processes and Interactions"). Windows implements Kerberos as a Security Support Provider (SSP), specifically Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the Security Support Provider Interface (SSPI) in the form of DLLs. The SSPI is the implementation of the Generic Security Service API (GSSAPI)

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

(1)
It should be right. The GSSAPI SPNEGO flow in general should be dependent on 3 actors such as the Client, the App Server (AS) , and the ActiveDirectory (DC/KDC). We will need to assume Client is logged in to a windows domain, and running Window machine with IE and AS is configured for Kerberos against the AD server in the windows domain. Hence, the SPNEGO steps should be:
 
Client sends AS:                      
<>  HTTP GET to CAS  for cas protected page
AS responds:                        
<>  HTTP 401 - Access Denied WWW-Authenticate: Negotiate
Client sends ticket request:  
<>  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Kerberos KDC responds:    
<>  Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Client sends AS:              
<>  HTTP GET Authorization: Negotiate w/SPNEGO Token
AS responds:                    
<>  HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This should only happens for the first request, when there is no AS ticket associated with the users session.  Once AS grants a ticket, this will not happen again until the AS ticket expires.

(2)
Also to add further the specific flow is shared in "SPNEGO Token Handshake by Using HTTP Headers"
http://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2

The SPNEGO Token as stated in above MS link stated as "WWW-Authenticate: Negotiate <base64 encoding>" or "Authorization: Negotiate <base64 encoding>" which is your mentioned %token string% accordingly.

The link stated GSSAPI functions e.g. SPNEGO Token Handler API that deal with creation and parsing as a baseline, specifically there is a "spnegoGetMechToken" that get the token. It has an example code (in C) shows how the SPNEGO Token Handler API could be used to parse a SPNEGO token, extract the Mech token, and generate a response token to send back. http://msdn.microsoft.com/en-us/library/ms995331.aspx#http-sso-3_topic2

For the various language, probably has to "google" how each can map to reach "spnegoGetMechToken"
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question