Reputation: 1
Curl on windows using Http/2 and windows authentication ( SPNEGO, Kerberos, Negotiate)
i have been trying to get curl version 7.63 on windows to connect to an HTTP/2 REST api and use Windows Authentication.
the REST Endpoint is setup to do "negotiate" and is running on a "Domain Joined" windows server. so it will get kerberos delegation from the Windows DC KDC.
This all works in http/1.1 but if i try do force curl to use http/2 it will revert to http/1.1
when i use "basic" authentication, than curl can connect to the rest endpoint using http/2.
i found this blog post from a former IIS engineer at microsoft, which says that IIs does not support Http/2 with Windows authentication. https://blogs.iis.net/davidso/http2
since my REST Endpoint is responding with this in the header : Server: Microsoft-HTTPAPI/2.0
i believe it is using the same library as IIS and that could be the reason why it can't handle Windows Authentication ( Windows Authentication is needed to handle SSO so that the user does not need to enter his credentials).
is this a limitation in the http/2 specification or just a limitation in the microsoft libraries and IIS ?
curl 7.63.0 (x86_64-w64-mingw32) libcurl/7.63.0 OpenSSL/1.1.1a (WinSSL) zlib/1.2.11 libidn2/2.0.5 nghttp2/1.35.1 Release-Date: 2018-12-12 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink
Upvotes: 0
Views: 2682
Answers (1)
Reputation: 21
In a few cases, HTTP/2 can't be used in combination with other features. In these situations, Windows will fall back to HTTP/1.1 and continue the transaction. This may involve negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection.
Windows authentication (NTLM/Kerberos/Negotiate) is not supported with HTTP/2. In this case IIS will fall back to HTTP/1.1. Clear text - as mentioned above, IIS currently only supports HTTP/2 over TLS. Again, IIS will fall back to HTTP/1.1. Bandwidth throttling - IIS has a feature to limit bandwidth (in Inetmgr, select the site, 'Limits' under Configure of the Action pane). This applies to HTTP/1.1 but is not enforced for HTTP/2 (will proceed with no errors or bandwidth limiting).
Upvotes: 2
Related Questions
- curl with Kerberos error: option --negotiate: the installed libcurl version doesn't support this
- curl: how to use Kerberos instead of NTLM authentication on Windows?
- curl with --negotiate / Kerberos doesn't seem to work
- Use cURL with Kerberos to auth on Keycloak
- Why doesn't cURL work with Windows Authentication on IIS7?
- curl on Windows: "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
- Using curl with NTLM auth to make a post is failing
- Unable to get negotiate authentication to work in a libcurl program
- How to use WinHTTP library for kerberos (windows integrated) authentication
- Kerberos authentication with SSPI