0

I'm having great difficulty getting Kerberos Auth working with Vault using VaultSharp.

I don't have control over Vault server but I've been informed that it is configured and ready to use.

I'm using .NET running in IIS and I want to make use of the service account that IIS is running under so that I don't need to store additional secrets or user/passwords.

Here is the code I'm using and the error:

public string GetSecretWithKerberosAuthUsingVaultSharp(string keyName, string vaultBaseAddress, string vaultResourcePath, string mountPoint)
{
    IAuthMethodInfo authMethod = new KerberosAuthMethodInfo(); // uses network credential by default.
    var vaultClientSettings = new VaultClientSettings(vaultBaseAddress, authMethod);
    IVaultClient vaultClient = new VaultClient(vaultClientSettings);

    var result = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(vaultResourcePath, mountPoint: mountPoint).Result;
    //Above line gives this error message:
    //{"request_id":"a85dfbb3-b283-3513-7cd3-01ad757eed1b","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Unauthorised.\n\n"],"auth":null}

    var resultData = result.Data;
    string secret = resultData.Data[keyName].ToString();

    return secret;
}

I have managed to get it working using token auth as well as through the CLI but that is not quite what I want.

authMethod.Credentials.UserName/Domain both are empty strings. Don't know if they are supposed to be populated in this case or not but documentation states that it "uses network credentials by default"

Any help appreciated.

PostureOfLearning
  • 3,481
  • 3
  • 27
  • 44
  • Can you check if Kerberos backend has been enabled and configured properly? Can you also check if the Kerberos Auth works using Vault CLI? If yes, then it is an issue with VaultSharp. Open a issue in my repo. But if CLI works, then there is something wrong with your Kerberos setup – Raja Nadar Nov 21 '20 at 10:03
  • did the issue get resolved for you? – Raja Nadar Nov 28 '20 at 09:07
  • No, not resolved and we considering using other alternatives. "Can you check if Kerberos backend has been enabled and configured properly?" - What is needed in order for it to be 'proper'? – PostureOfLearning Dec 04 '20 at 09:35
  • Proper means ensuring that the vault to kerberos Auth endpoint is created and permission with the right credentials so that eventually when you login the user, vault can check the user login with kerberos. Here is the detail. https://www.vaultproject.io/docs/auth/kerberos My request was to see if kerberos Aith is working for you 100% via cli or not? If it works, then there is an issue with the VaultSharp library, else there is a configuration problem. – Raja Nadar Dec 05 '20 at 10:20
  • The other thing to try is to use domain credentials explicitly. – Raja Nadar Dec 05 '20 at 12:03

1 Answers1

0

Is your web application running in integrated Windows Auth mode, with anonymous auth disabled?

If no, please make it work in that mode for your web app to have the Windows Integrated Auth context so that web calls from VaultSharp to Vault API can have the security context.

If yes, then can you please try a couple of things?

var kerberosAuthInfo = new KerberosAuthMethodInfo(CredentialCache.DefaultCredentials);

If the above doesn't work, then can you try explicit credentials.

var kerberosAuthInfo = new KerberosAuthMethodInfo(new NetworkCredential(userName, password, domain));

Ideally, the web app context should carry the integrated windows context so that you don't need to provide explicit credentials, but it might be worth trying to ensure that it works first and then we can backtrack as to why the context is not being passed.

Raja Nadar
  • 9,409
  • 2
  • 32
  • 41
  • If I understand correct... if I change those settings as you recommend then it means that A) a user has to log in using network credentials and B) the credentials are taken from the user. I want neither of these. I want the IIS service account to be used as per my question. If I wanted to use userName/password combo I can successfully do it using ldap auth but again, this is not what I am asking for. I can get the IIS service account user name through code but the problem is authenticating it or password. I have heard that configuring a keytab for Kerberos might work. Does it? How? – PostureOfLearning Dec 14 '20 at 10:52
  • @PostureOfLearning can you please open a GH issue? let's close it out there. Other folks have been using Kerberos successfully. – Raja Nadar Jan 24 '21 at 17:30