Solved

General questions and examples  of  SPNEGO over REST via C#, Java, Python ?

Posted on 2014-12-14
3
479 Views
Last Modified: 2016-05-08
I am connecting to a web application that is integrated with Active Directory. The application allows  for  REST operations via SPNEGO.

My understanding is that I should be able to make a REST call using GSSAPI/SPNEGO. First a general question.  My understanding is that the process works like this.

1) User logs into their computer and gets a TGT which is stored somewhere off in memory (I'm a little fuzzy on this, I believe this is how KERBEROS works, and I'm hoping SPNEGO assumes the same)
2) Client tries to make some request like a GET or PUT
3) Website respondes with unauthorized 401 response with an WWW-AUTHENTICATION : NEGOTIATE header.
4) Client responded with a second GET or PUT request adding a Authenticate: NEGOTIATE %token string%
5) Request succeeded and client get proper response


My questions are:
1) Is the above understanding correct?
2) If my goal is to only get the %token string% How would i retrieve that string value to add to the Authenticate: Negotiate header?
    1) In C#/.NET
    2) In Python
    3) In Java
0
Comment
Question by:techrage
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
First off it is good to under Kerberos, the primer has good use case to run through (see "Kerberos Processes and Interactions"). Windows implements Kerberos as a Security Support Provider (SSP), specifically Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the Security Support Provider Interface (SSPI) in the form of DLLs. The SSPI is the implementation of the Generic Security Service API (GSSAPI)

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

(1)
It should be right. The GSSAPI SPNEGO flow in general should be dependent on 3 actors such as the Client, the App Server (AS) , and the ActiveDirectory (DC/KDC). We will need to assume Client is logged in to a windows domain, and running Window machine with IE and AS is configured for Kerberos against the AD server in the windows domain. Hence, the SPNEGO steps should be:
 
Client sends AS:                      
<>  HTTP GET to CAS  for cas protected page
AS responds:                        
<>  HTTP 401 - Access Denied WWW-Authenticate: Negotiate
Client sends ticket request:  
<>  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Kerberos KDC responds:    
<>  Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Client sends AS:              
<>  HTTP GET Authorization: Negotiate w/SPNEGO Token
AS responds:                    
<>  HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This should only happens for the first request, when there is no AS ticket associated with the users session.  Once AS grants a ticket, this will not happen again until the AS ticket expires.

(2)
Also to add further the specific flow is shared in "SPNEGO Token Handshake by Using HTTP Headers"
http://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2

The SPNEGO Token as stated in above MS link stated as "WWW-Authenticate: Negotiate <base64 encoding>" or "Authorization: Negotiate <base64 encoding>" which is your mentioned %token string% accordingly.

The link stated GSSAPI functions e.g. SPNEGO Token Handler API that deal with creation and parsing as a baseline, specifically there is a "spnegoGetMechToken" that get the token. It has an example code (in C) shows how the SPNEGO Token Handler API could be used to parse a SPNEGO token, extract the Mech token, and generate a response token to send back. http://msdn.microsoft.com/en-us/library/ms995331.aspx#http-sso-3_topic2

For the various language, probably has to "google" how each can map to reach "spnegoGetMechToken"
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now