0

a lil background story..:

In my company we are using IBM Cognos TM1 / IBM Cognos Analytics with BI Gateway for the authentification via SSO (we use a LDAP ApacheDS as Directory).

Since the restructure of the LDAP Directory, my shown username get weired long, its the whole entry DN with some special chars inside and my name, but not the UID (its clustered in a CN)

So the SSO is still working fine, now i started to sniff the traffic in the network and search the cookies for my user creditials, i found a SSO Cookie with a NEGOTIATE header string, is there a possiblity to decode this, so that i can see my username again which is send?

Thanks for the support

PolygonBird
  • 19
  • 7
  • not really (not easily), the `Negotiate` header implies using Kerberos, NTLM or SPNEGO protocol (search for it). They are multi-step protocols and the values should be encrypted. see https://tools.ietf.org/html/rfc4559 – gusto2 Jan 29 '20 at 07:33
  • THank you, yes we are using Kerberos and something called "Alfa", i read some articles about kerberos and it seems impossible with my access to the infrastructure, may i need some help from a IBM Consulting company to solve this. Edit: you can post this as answer, i will mark it thank you! – PolygonBird Jan 29 '20 at 08:23
  • What is used as SAML SSO IdP? – gusto2 Jan 29 '20 at 08:53
  • What do you mean gusto? Sorry i'm new to this SSO and Server things.. – PolygonBird Feb 13 '20 at 09:10

1 Answers1

1

is there a possiblity to decode this, so that i can see my username again which is send?

Not really (not easily).

The Negotiate header implies using Kerberos, NTLM or SPNEGO protocol (search for it). They are multi-step protocols and the values should be encrypted.

See https://www.rfc-editor.org/rfc/rfc4559

Community
  • 1
  • 1
gusto2
  • 11,210
  • 2
  • 17
  • 36