Reputation: 6543
GSSAPI for NTLM authentication
Is it possible to use GSSAPI for NTLM v1/v2 authentication? I am trying to build a web-server, quite like squid / apache, but I would like to authenticate clients that could be using IE / FireFox, using NTLM / Negotiate protocols. I tried using heimdal libraries but simply can't get gss_accept_sec_context to work. It simply fails with "An unsupported mechanism was requested". I can confirm that the service principal name, OIDs for spnego etc. did happen correctly when the gss_acquire_cred was called before the gss_accept_sec_context was attempted. Yes of course, I extracted the token received from the client by base64 decoding the authorization headers. I am using C++, and experimenting this on debian. I am sure one of the fantastic hacks around here knows more, and hope will share some important clues.
Thanks in Advance.
Upvotes: 3
Views: 7734
Answers (3)
Reputation: 11
The Heimdal GSSAPI library supports SPNEGO, NTLMv1/v2 and KRB5. They also have the raw NTLM library that you could use to implement the protocol yourself.
https://www.h5l.org/manual/HEAD/gssapi/
Upvotes: 1
Reputation: 6509
I'm not sure about the Heimdal library and whether it works with the GSS, but gss ntlm ssp specifically claims to be a gss library. I'd expect you'd need to download and build it, then you would need to set up /etc/gss/mech (or /usr/etc/gss/mech on Debian and Ubuntu) to point at the library. Ther build system will create an example of what you need in the mech file in its examples directory.
You may run into trouble running this under spnego. When Windows has NTLM as the most preferred mechanism with the negotiate package, it sends a raw NTLM token rather than a SPNEGO token as defined in RFC 4178. This code will definitely get you further though; it definitely will get past gss_accept_sec_context indicating an unsupported mechanism.
Upvotes: 1
Reputation: 11
Heimdal's NTLM library also supports client side. you can, using library primitives, generate type1, 2 and 3 messages, and it will work. I don't know, however, can you use GSS-API on the top of Heimdal for this purposes. I assume that test, you can do this too.
Upvotes: 1
Related Questions
- gss_accept_sec_context() failed: An unsupported mechanism was requested
- GSSAPI - Windows Active Directory Interoperability - error accepting context: Wrong principal in request
- Windows client application using GSSAPI/Kerberos API to authenticate through KDC
- Using WSSE plugin for Gsoap in C++/Linux
- SEC_WINNT_AUTH_IDENTITY creation (SSPI)
- SSPI negotiation result
- not compatible with PSECURITY_STRING
- gSOAP HTTP Authentication
- GSSAPI get username password and build credential not working for non logged in user
- Secure this invaluable documentation on using C/C++ with GSSAPI and SASL