4

I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity. I can get a general idea of how I might from KerberosReceiverSecurityToken, but I can't find anything like a NegotiateReceiverSecurityToken. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.

I presume (if I had my own SspiWrapper) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate and then use QuerySecurityContextToken to get the token with which I could create a WindowsIdentity.

But KerberosReceiverSecurityToken makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.

(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)

Ethan Reesor
  • 2,090
  • 1
  • 23
  • 40
  • 2
    You will have to refer to Katana/Kestrel web server source code repo from Microsoft to learn which native API they call. It is rather a broad question I am voting to close. If you do intend to build your own, Microsoft published the standard documents at its site which you'd better Google. – Lex Li Dec 03 '16 at 05:59
  • @LexLi How is my question broad? I want to take the data sent to my server from a client and turn it into a WindowsPrincipal. Seems pretty darn specific to me. – Ethan Reesor Dec 03 '16 at 06:52
  • 1
    a protocol client implementation is a huge project and how much do you expect a thread at Stack Overflow to offer? – Lex Li Dec 03 '16 at 09:23
  • I'm not trying to build a protocol implementation. I'm simply trying to decode the negotiate header and do something useful with the result. Based on `KerberosReceiverSecurityToken`, that should be ~100 lines and 10-20 SSPI API calls. – Ethan Reesor Dec 05 '16 at 19:36
  • 2
    I have implemented this using BouncyCastle (c#) for the ASN.1 stuff. – Sense545 Dec 08 '16 at 08:34
  • i'd love to know if you or @Sense545 ever built this out... – Joe May 25 '18 at 11:16
  • I made a working implementation in 2013 using the methods mentioned in my answer. – Sense545 May 28 '18 at 07:05

1 Answers1

4
  1. Parse the incoming response token
  2. Call Secur32.AcquireCredentialsHandle to get a handle
  3. Call Secur32.AcceptSecurityContext passing the handle and the token
  4. Call Secur32.QuerySecurityContextToken passing the security context
  5. Construct a new WindowsIdentity(hToken) using the output form step 4

If you have any questions about any of these steps, I can elaborate and/or provide some sample code.

Sense545
  • 494
  • 4
  • 14
  • Thank you for your answer. When I have some time, I'll try to use this to solve my problem. I'll get back to you then. – Ethan Reesor Dec 11 '16 at 22:20