Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos Support #1

Closed
enj opened this issue Sep 29, 2016 · 8 comments
Closed

Kerberos Support #1

enj opened this issue Sep 29, 2016 · 8 comments

Comments

@enj
Copy link
Contributor

enj commented Sep 29, 2016

@alexbrainman Could you point me to some documentation and/or links that could help me implement Kerberos support in Go on Windows using this library (something like https://github.com/alexbrainman/sspi/blob/master/ntlm/http_test.go)?
@alexbrainman
Copy link
Owner

help me implement Kerberos support in Go on Windows

Microsoft provides different SSP providers

https://msdn.microsoft.com/en-us/library/windows/desktop/aa380502(v=vs.85).aspx

You should be able to start with my sspi/ntlm package and change some code to implement Kerberos. In fact I have (as far as I remember) implemented Negotiate provider (it is NTLM + Kerberos) in one of my projects, and it worked. I will try and cleanup my code and publish some code when I have free time. But you should have a go - it should not be hard.

Alex

@alexbrainman
Copy link
Owner

I have (as far as I remember) implemented Negotiate provider (it is NTLM + Kerberos) in one of my projects, and it worked.

Here 05f0258 are my changes.

Alex

@enj
Copy link
Contributor Author

enj commented Oct 5, 2016

Thanks I will try this out and let you know 😄

@bbigras
Copy link

bbigras commented Dec 22, 2016

@enj did you test it?

@enj
Copy link
Contributor Author

enj commented Dec 22, 2016

@BrunoQC I have a WIP PR openshift/origin#11371

There are still some bugs to take care of in my code and in this library. But for the most part everything works as expected. This did not work with the runas command.

@trung
Copy link

trung commented Jun 1, 2018
edited
Loading

Extended Protection for Authnetication (EPA) was introduced in Windows 7/WS2008R2 to thwart reflection attacks. This blog describes the changes in the implementation of NTLM Authentication that are needed to successfully authenticate to servers that have EPA enabled. Windows 7/WS 2008R2 and Windows 8/ WS2012 have EPA enabled out of the box.

When channel binding/extended protection for authentication (here and here) is enabled. There needs an extra step to obtain server certificate and encode it in the input buffer before sending to InitializeSecurityContext. I copied the implementation from Python Library and made it work.

Will get an PR raise for review

@enj
Copy link
Contributor Author

enj commented Jun 16, 2018

I am going to close this since it appears to be working for me (even with runas). I will open issues or PRs if I encounter bugs after the code has seen more real world use.

openshift/origin#11371

@enj enj closed this as completed Jun 16, 2018
@alexbrainman
Copy link
Owner

I am going to close this since it appears to be working for me (even with runas).

Glad to hear that.

I will open issues or PRs if I encounter bugs after the code has seen more real world use.

SGTM

Alex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bbigras @trung @enj @alexbrainman