KRB_AP_REQ ticket from SSPI - c++

I have a Linux server application that is using Kerberos for client authentication and client that needs to run on Windows. Kerberos tickets are issued by Windows Active Directory. Client authenticates successfully on server if I use MIT KfW 3.2.2. API for retrieving AS and TGS tickets from Kerberos server and store them in kerberos credentials store. But the problem with this approach is that user needs to input his credentials again.
The solution would be to access MS LSA store but this does not work. Neither does ms2mit.exe application. It does not matter if I run it as normal user or as administrator, or if I disable UAC completely.
This is why I would like to use SSPI on client to make the KRB_AP_REQ message which I would send to server. Is that possible. If yes how can it be done? IF no, what are my other options? Please note that server is already built and it would require significant effort to change it, therefore I would like to find a solution on windows.

You can use the AquireCredentialsHandle and InitializeSecurityContext functions of the windows SSPI subsystem to get a valid ticket and authenticate against a Linux based server.
First use AcquireCredentialsHandle() and than use multiple calls to InitializeSecurityContext with the tokens you get from your server until your authenticated.

Related

Using Kerberos request type instead of NTLM in power-bi report server

I'm having a server with power-bi reporting service installed and configured on it, and from my front-end that hosts the application, i've got angular 7 with proper power-bi components installed.
Since the report is on the server and it needs authentication to login, i get a user and password fill-in prompt in my website whenever i try to access this report, and after logging in, i can see the data of my report.
I'm wondering how to use Kerberos authentication so that i can set-up that username and password to login automatically without asking the user to enter them every time.
What i've done so far :
I've made and set a few SPN in my active directory, made a user in Active Directory Users and Computer and in it's Delegation tab, i've set it to Use any authentication protocol and added MSOLAPDisco and MSOLAPSvc.3 to it. i've added the user account credentials that i've made to service account and execution account in power bi Report server then i modified the rsreportserver config file to use the RSNegotiate before NTLM.
After trying to solve the issue with the mentioned above methods, i still get a NTLM method in network monitor which is installed in the Active Directory.
Any suggestions how to solve this issue? Thanks in advance.

Why to use mod_auth_kerb for authenticating?

I am facing a problem understanding the reason why to use mod_auth_kerb for authentication to a Kerberos server.
I am developing a website using Django + mod_wsgi + Apache .
The first page of my website asks the user to enter username/password and one of my Django app will take the username/password and use Python kerberos module to authenticate the user to the kerberos server.
Where do I need to use mod_auth_kerb here ?
I understand that I will have the power to use the username/password to my advantage,is this the reason of using mod_auth_kerb ?
mod_auth_kerb can do two things:
Prompt the user for a username and password via HTTP Basic and validate them using Kerberos on the server side, or
Allow the browser to authenticate using Kerberos on both sides, via HTTP Negotiate. If the client supports Kerberos, this provides single-signon: the client automatically authenticates to the server via the Kerberos system without prompting for a password, via credentials obtained when the user logged in.
You are doing #1 in your application. It might be useful to move that into Apache, where it can be done once consistently for all apps. #2 you're not doing at all, but it's only useful in an environment in which Kerberos infrastructure is available.
A word of warning: I don't know about the "Python kerberos module," but it's very possible that it is not doing password validation securely. Many things which claim to do this do the equivalent of "kinit": they use the username and password to obtain an initial Kerberos credential (TGT), and claim success if it appears to work. The problem is that they have asked a third party (the Kerberos authentication server (key distribution center), or KDC) to validate the password -- but they have not checked that they are actually talking to a real KDC. They might just have received a message from the same user who gave them the password, and the message of course says, "the password is right." In order to do this properly the verifier needs its own identity in the Kerberos realm (a "principal"), and to take the extra step of using the TGT to obtain a ticket for itself and verifying it; this ensures that the reply is from a genuine KDC.
Another common way of doing this, if your KDCs are Windows domain controllers, is to use LDAP: connect to a domain controller via LDAP and authenticate with the password; the DC will check the password against Kerberos itself. Of course, you have the same problem: you need to verify that you're talking to a genuine domain controller -- but you can do that with TLS via certificates, which may be easier.

How CreateProcessAsUser on Windows Using Delegated Credentials from SSPI?

I work on a Kerberos logon infrastructure (Single Sign-On) with:
A client which is authenticated to the Kerberos Key Distribution
Center.
A principal service server using Kerberos as authentication.
Server Program is coded in C++.
I have no problem to create a context between my principal (client) and my service principal (server).
I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.
And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.
I do not know how to use my SSPI credentials to create on my server a process as the client user.
I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.
Thanks in Advance, for your help
Though it is very late but you could obtain a token by doing following:
HANDLE tempHandle;
if (!QuerySecurityContextToken(hctxt, &tempHandle))
{
MyDbg("Could not obtain token for user");
}
I just posted a question regarding something related to what you are doing. I am using a session 0 Windows service to launch an application into session 1. The code I used (and asked about) is included in that post, and works well except that paths normally available to a user in session 1 are not accessible when launced this way. In any case, Even though I have some questions about this code, I hope it can start you on the right path.
Ryyker
I finally found a solution to my problem.
The best way to do it is to:
write delegated credentials in a temporary file.
set KRB5CCNAME environment variable to the path of this file.
It Works ;)

How to get Windows credential for NTLM / Kerberos from C++ for libcurl?

I have a fairly basic question for using libcurl, which I could not find an answer from googling/stackoverflow.
I would like to use libcurl to authenticate user to a remote Windows site. To do that, I need to pass in the Windows credentials (domain/user/password) to libcurl. How to I retrieve the current login user's credential from Visual C++ for this purpose? Goal is not to have to prompt user again for their Windows credentials.
you can't if you could this was a security breach
Trojans could steal user's credential.
usually for authentication systems only save the a hash(md5/sha1) of the password , not the password itself so even if one have an accesses to that hash he cant steal the password. as he need the password not the hash.
i don't know about windows but i believe they do the same.

Impersonation fails authorization with same credentials on workstation A and B

Case 1. When I browse a little test site from my own PC called JOHNXP (e.g. http://localhost/WebClient ), my .aspx page invokes my ASMX webservice picks up my credentials and passes them across to another webservice on ANOTHER machine (SERVERTRIM) in the same domain. I can see my request resulting in a Security Log entry on the SERVERTRIM machine with my credentials.
Case 2. I move to another PC in the same domain and logon with the same credentials I used back at my personal desktop. When I browse the same test site above (this time as http://johnxp/WebClient ), I get this percolated back to my .aspx page:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Net.WebException: The request failed with HTTP status 401: Unauthorized
Looking at the Security Log on SERVERTRIM, I note that the access in case 2 resulted in an ANONYMOUS LOGON which seems to explain the 401 / Unauthorized.
I'm trying to get my webservice to use the credentials of the logged in DOMAIN user when my WS calls a vendor's webservice on a different server.
My ASMX webservice runs on my desktop (IIS 5.1 WinXP Pro - machine name is JOHNXP). I have Enable anonymous UNCHECKED in every server involved and I have this in every web.config involved in my scenario:
The vendor webservice runs on SERVERTRIM (Win 2003 Server) and it is also ASMX and uses WSE 3.0.
Wireshark and Netmon look too formidable as tools for me right now. I am figuring the different resulting LOGONs on the "remote" server (SERVERTRIM) are sufficient "evidence". All machines above are in the same domain but I want to keep the "remote" webservice on SERVERTRIM and my intermediate webservice on a different server in the same domain if possible. Does this scenario demand that I have to dig into "delegation"? What would be the easiest tool to monitor why the same credentials result in an ANONYMOUS LOGON when the web request is initiated on another machine in the domain?
My knowledge of authentication is a bit hazy, but if I understood your description correctly:
in the first case, you're browsing to localhost, which is impersonating the caller, then calling a web service on a different machine. The impersonation is being done on the same machine as the client. I believe in this case, the impersonating application doesn't need to be on a machine that is trusted for delegation (because it's already the same machine as the client).
in the second case, you're browsing to a different PC, which is attempting to impersonate the caller when calling a third PC. In this case, the PC in the middle would need to be trusted for delegation (which it presumably won't be if it's a development workstation).