2

I am developing an application using kerberos authentication in a double-hop scenario : the client is connecting to a server witch needs to use the client's credentials to connect a SQL server.

I already did it using GSoap and GSS-API from kerberos MIT release; but I would have liked to use winHTTP to handle the authentication.

Yet, when I try to use winHTTP with GSOAP WINHTTP PLUGIN (gsoapwinhttp on code.google), the delegation is blocked by the Domain Controller. I want to keep this Active Directory configuration :

Active Directory configuration picture

When I look at GSS-API kerberos ticket I found several flags allowing delegation such as fowardable or deleg_req_flag :

Wireshark forwadable flag

So my question is : Can I modify the winHTTP flags to have to allow delegation without changing the Domain Controller's configuration ?

Edit :

I'm using the option WINHTTP_AUTH_SCHEME_NEGOTIATE in setCredentials and WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW in setOption to be sure to use Kerberos or NTLM as specified in Microsoft website WinHttpSetCredentials.

Using Fiddler I checked the HTTP connection and it is using Kerberos but I still can't delegate to my next server.

I tried to use almost every possible options of setOption such as WINHTTP_ENABLE_SSL_REVERT_IMPERSONATION or everything that could look like delegation but I have a strange error when using this option :

End of file or no input: message transfer interrupted or timed out (629s recv send delay)

I tried to set a different recv_timeout but still the same error.

.

H. Gybels
  • 147
  • 1
  • 1
  • 11

1 Answers1

0

I've studied this type of problem a lot. You are experiencing the Kerberos double-hop problem. In that configuration screenshot you provided, you must configure delegation; right now delegation is not set. First item to try is open delegation,to do that select the radio button: Trust this computer for delegation to any service (Kerberos only). You set this on the computer account in AD which needs to use the client's credentials to connect a SQL server - not on the domain controller account. If your application is actually running on a domain controller, then that is a known issue and unsupported configuration which won't work - please move application to a member server of the domain.

Regarding those flags allowing delegation such as fowardable or deleg_req_flag shown as being set in the Fiddler trace, I'm not sure why they are shown as set, but they might have been set from the wrong account. From the account of the screenshot you posted, Kerberos delegation is not configured at all.

In your scenario, you must set Kerberos delegation on the computer account which is running the WinHTTP process, in the example shown below, that would be "Server1".

Simple Kerberos delegation scenario

In the Kerberos Delegation properties of that account, you can specify either open delegation (top radio button as I stated above), or constrained delegation to the process on Server2 to which Server1 may forward the user credentials (the Kerberos service tickets).

T-Heron
  • 5,385
  • 7
  • 26
  • 52