CODEWITHSUNDEEP
pythonwindowspython-requestskerberos
James Robinson
James Robinson

Reputation: 1253

How do I connect to a kerberos authenticated REST service in Python on Windows

I am trying to create a very simple Python script to download the contents of an internal service at my company that sits within our firewall and authenticates using kerberos.

When I installed the requests_kerberos module I first edited the import kerberos in it to use import kerberos_sspi as kerberos instead after having installed the kerberos_sspi module.

Thus I have the following Python script

import requests
from requests_kerberos import HTTPKerberosAuth

response = requests.get('http://service.internaldomain',auth=HTTPKerberosAuth())

print response

While trying to process the 401 it crashes out with the error.

error: (-2146893053, 'InitializeSecurityContext', 'The specified target is unknown or unreachable')

While looking into seeing if I could do this with curl instead I ran kinit and noticed that it asked me for the password to authorisation with the following prompt:

Password for [email protected]

Thus I wondered if this might be what is causing the issue.

Upvotes: 10

Views: 34055

Answers (3)

hbrandao
hbrandao

Reputation: 3

I had to connecto to a REST API who's in a keberized environment just now.

After some reading, i came to this (and it worked):

    tk = 'long_kerberos_token'
    headers = {'Authorization': 'Negotiate' + tk}
    r = requests.get(url=PING_URL, headers=headers)

Upvotes: 0

ambassallo
ambassallo

Reputation: 970

I have tried multiple libraries on python and failed when trying to authenticate from a windows machine.There is no easy way. The Kerberos libraries mainly work on Linux. The workarounds for Windows do not work. So what can be the solution to this. Well... be a Roman while in Rome. Try the windows native libraries from Python.

 import sys
 import clr
 from System.Net.Http import *
 myClienthandler = HttpClientHandler()
 myClienthandler.UseDefaultCredentials = True
 myClient = HttpClient(myClienthandler)
 x = myClient.GetStringAsync("putyourURLwithinthequoteshere")
 myresult = x.Result
 print(myresult)

Note that the this python script will have to run by the user who has access to the URL you are trying to access. By setting UseDefaultCredentials property as True, you are passing the Kerberos tickets for the logged in user.

Upvotes: 6

Martin
Martin

Reputation: 51

The server is giving you a 401 challenge - and the client (usually a browser or even curl) provides the credentials in a subsequent call. If you are already logged in at your domain - try forcing a pre-emptive hop, i.e. you’d carry your Kerberos ticket with your call and the server will not give you a 401 challenge:

kerberos_auth = HTTPKerberosAuth(force_preemptive=True) r = requests.get("http://myhost/DXAPIGraphQL/api/graphql", auth=kerberos_auth)

If the above doesn't help look into the: principal and hostname_override arguments of the HTTPKerberosAuth class.

Upvotes: 2

Related Questions