General questions and examples of SPNEGO over REST via C#, Java, Python ?

I am connecting to a web application that is integrated with Active Directory. The application allows  for  REST operations via SPNEGO.

My understanding is that I should be able to make a REST call using GSSAPI/SPNEGO. First a general question.  My understanding is that the process works like this.

1) User logs into their computer and gets a TGT which is stored somewhere off in memory (I'm a little fuzzy on this, I believe this is how KERBEROS works, and I'm hoping SPNEGO assumes the same)
2) Client tries to make some request like a GET or PUT
3) Website respondes with unauthorized 401 response with an WWW-AUTHENTICATION : NEGOTIATE header.
4) Client responded with a second GET or PUT request adding a Authenticate: NEGOTIATE %token string%
5) Request succeeded and client get proper response


My questions are:
1) Is the above understanding correct?
2) If my goal is to only get the %token string% How would i retrieve that string value to add to the Authenticate: Negotiate header?
    1) In C#/.NET
    2) In Python
    3) In Java
techrageAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
First off it is good to under Kerberos, the primer has good use case to run through (see "Kerberos Processes and Interactions"). Windows implements Kerberos as a Security Support Provider (SSP), specifically Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the Security Support Provider Interface (SSPI) in the form of DLLs. The SSPI is the implementation of the Generic Security Service API (GSSAPI)

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

(1)
It should be right. The GSSAPI SPNEGO flow in general should be dependent on 3 actors such as the Client, the App Server (AS) , and the ActiveDirectory (DC/KDC). We will need to assume Client is logged in to a windows domain, and running Window machine with IE and AS is configured for Kerberos against the AD server in the windows domain. Hence, the SPNEGO steps should be:
 
Client sends AS:                      
<>  HTTP GET to CAS  for cas protected page
AS responds:                        
<>  HTTP 401 - Access Denied WWW-Authenticate: Negotiate
Client sends ticket request:  
<>  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Kerberos KDC responds:    
<>  Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<FQDN of AS>@KERBEROS REALM
Client sends AS:              
<>  HTTP GET Authorization: Negotiate w/SPNEGO Token
AS responds:                    
<>  HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This should only happens for the first request, when there is no AS ticket associated with the users session.  Once AS grants a ticket, this will not happen again until the AS ticket expires.

(2)
Also to add further the specific flow is shared in "SPNEGO Token Handshake by Using HTTP Headers"
http://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2

The SPNEGO Token as stated in above MS link stated as "WWW-Authenticate: Negotiate <base64 encoding>" or "Authorization: Negotiate <base64 encoding>" which is your mentioned %token string% accordingly.

The link stated GSSAPI functions e.g. SPNEGO Token Handler API that deal with creation and parsing as a baseline, specifically there is a "spnegoGetMechToken" that get the token. It has an example code (in C) shows how the SPNEGO Token Handler API could be used to parse a SPNEGO token, extract the Mech token, and generate a response token to send back. http://msdn.microsoft.com/en-us/library/ms995331.aspx#http-sso-3_topic2

For the various language, probably has to "google" how each can map to reach "spnegoGetMechToken"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.