Solved

General questions and examples  of  SPNEGO over REST via C#, Java, Python ?

Posted on 2014-12-14
3
686 Views
Last Modified: 2016-05-08
I am connecting to a web application that is integrated with Active Directory. The application allows  for  REST operations via SPNEGO.

My understanding is that I should be able to make a REST call using GSSAPI/SPNEGO. First a general question.  My understanding is that the process works like this.

1) User logs into their computer and gets a TGT which is stored somewhere off in memory (I'm a little fuzzy on this, I believe this is how KERBEROS works, and I'm hoping SPNEGO assumes the same)
2) Client tries to make some request like a GET or PUT
3) Website respondes with unauthorized 401 response with an WWW-AUTHENTICATION : NEGOTIATE header.
4) Client responded with a second GET or PUT request adding a Authenticate: NEGOTIATE %token string%
5) Request succeeded and client get proper response


My questions are:
1) Is the above understanding correct?
2) If my goal is to only get the %token string% How would i retrieve that string value to add to the Authenticate: Negotiate header?
    1) In C#/.NET
    2) In Python
    3) In Java
0
Comment
Question by:techrage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40500133
First off it is good to under Kerberos, the primer has good use case to run through (see "Kerberos Processes and Interactions"). Windows implements Kerberos as a Security Support Provider (SSP), specifically Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the Security Support Provider Interface (SSPI) in the form of DLLs. The SSPI is the implementation of the Generic Security Service API (GSSAPI)

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

(1)
It should be right. The GSSAPI SPNEGO flow in general should be dependent on 3 actors such as the Client, the App Server (AS) , and the ActiveDirectory (DC/KDC). We will need to assume Client is logged in to a windows domain, and running Window machine with IE and AS is configured for Kerberos against the AD server in the windows domain. Hence, the SPNEGO steps should be:
 
Client sends AS:                      
<>  HTTP GET to CAS  for cas protected page
AS responds:                        
<>  HTTP 401 - Access Denied WWW-Authenticate: Negotiate
Client sends ticket request:  
<>  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Kerberos KDC responds:    
<>  Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Client sends AS:              
<>  HTTP GET Authorization: Negotiate w/SPNEGO Token
AS responds:                    
<>  HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This should only happens for the first request, when there is no AS ticket associated with the users session.  Once AS grants a ticket, this will not happen again until the AS ticket expires.

(2)
Also to add further the specific flow is shared in "SPNEGO Token Handshake by Using HTTP Headers"
http://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2

The SPNEGO Token as stated in above MS link stated as "WWW-Authenticate: Negotiate <base64 encoding>" or "Authorization: Negotiate <base64 encoding>" which is your mentioned %token string% accordingly.

The link stated GSSAPI functions e.g. SPNEGO Token Handler API that deal with creation and parsing as a baseline, specifically there is a "spnegoGetMechToken" that get the token. It has an example code (in C) shows how the SPNEGO Token Handler API could be used to parse a SPNEGO token, extract the Mech token, and generate a response token to send back. http://msdn.microsoft.com/en-us/library/ms995331.aspx#http-sso-3_topic2

For the various language, probably has to "google" how each can map to reach "spnegoGetMechToken"
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question