Solved

General questions and examples  of  SPNEGO over REST via C#, Java, Python ?

Posted on 2014-12-14
3
572 Views
Last Modified: 2016-05-08
I am connecting to a web application that is integrated with Active Directory. The application allows  for  REST operations via SPNEGO.

My understanding is that I should be able to make a REST call using GSSAPI/SPNEGO. First a general question.  My understanding is that the process works like this.

1) User logs into their computer and gets a TGT which is stored somewhere off in memory (I'm a little fuzzy on this, I believe this is how KERBEROS works, and I'm hoping SPNEGO assumes the same)
2) Client tries to make some request like a GET or PUT
3) Website respondes with unauthorized 401 response with an WWW-AUTHENTICATION : NEGOTIATE header.
4) Client responded with a second GET or PUT request adding a Authenticate: NEGOTIATE %token string%
5) Request succeeded and client get proper response


My questions are:
1) Is the above understanding correct?
2) If my goal is to only get the %token string% How would i retrieve that string value to add to the Authenticate: Negotiate header?
    1) In C#/.NET
    2) In Python
    3) In Java
0
Comment
Question by:techrage
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40500133
First off it is good to under Kerberos, the primer has good use case to run through (see "Kerberos Processes and Interactions"). Windows implements Kerberos as a Security Support Provider (SSP), specifically Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the Security Support Provider Interface (SSPI) in the form of DLLs. The SSPI is the implementation of the Generic Security Service API (GSSAPI)

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

(1)
It should be right. The GSSAPI SPNEGO flow in general should be dependent on 3 actors such as the Client, the App Server (AS) , and the ActiveDirectory (DC/KDC). We will need to assume Client is logged in to a windows domain, and running Window machine with IE and AS is configured for Kerberos against the AD server in the windows domain. Hence, the SPNEGO steps should be:
 
Client sends AS:                      
<>  HTTP GET to CAS  for cas protected page
AS responds:                        
<>  HTTP 401 - Access Denied WWW-Authenticate: Negotiate
Client sends ticket request:  
<>  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Kerberos KDC responds:    
<>  Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Client sends AS:              
<>  HTTP GET Authorization: Negotiate w/SPNEGO Token
AS responds:                    
<>  HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This should only happens for the first request, when there is no AS ticket associated with the users session.  Once AS grants a ticket, this will not happen again until the AS ticket expires.

(2)
Also to add further the specific flow is shared in "SPNEGO Token Handshake by Using HTTP Headers"
http://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2

The SPNEGO Token as stated in above MS link stated as "WWW-Authenticate: Negotiate <base64 encoding>" or "Authorization: Negotiate <base64 encoding>" which is your mentioned %token string% accordingly.

The link stated GSSAPI functions e.g. SPNEGO Token Handler API that deal with creation and parsing as a baseline, specifically there is a "spnegoGetMechToken" that get the token. It has an example code (in C) shows how the SPNEGO Token Handler API could be used to parse a SPNEGO token, extract the Mech token, and generate a response token to send back. http://msdn.microsoft.com/en-us/library/ms995331.aspx#http-sso-3_topic2

For the various language, probably has to "google" how each can map to reach "spnegoGetMechToken"
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question