0

I have a Linux server application that is using Kerberos for client authentication and client that needs to run on Windows. Kerberos tickets are issued by Windows Active Directory. Client authenticates successfully on server if I use MIT KfW 3.2.2. API for retrieving AS and TGS tickets from Kerberos server and store them in kerberos credentials store. But the problem with this approach is that user needs to input his credentials again. The solution would be to access MS LSA store but this does not work. Neither does ms2mit.exe application. It does not matter if I run it as normal user or as administrator, or if I disable UAC completely. This is why I would like to use SSPI on client to make the KRB_AP_REQ message which I would send to server. Is that possible. If yes how can it be done? IF no, what are my other options? Please note that server is already built and it would require significant effort to change it, therefore I would like to find a solution on windows.

neznanec
  • 103
  • 1
  • 5
  • OK, I opened the SSPI message in ASN.1 Viewer and it appears that Microsoft wraps AP_REQ message. Wrapper includes (at least in my case) object identifier, boolean value and AP_REQ message. If I use this AP_REQ message with MIT Kerberos library it decodes OK. Now the only question that remains is how to do this by using documented interfaces because relying to undocumented behaviour might be to fragile for use in production. – neznanec Jul 25 '11 at 13:15
  • 1
    SSPI is actually a standards compliant implementation of GSSAPI, RFC 1964. The ASN.1-like type that describes the format of the token returned by InitializeSecurityContext for the Kerberos Subsystem is a InitialContextToken (RFC 1964 sec 1.1). It isn't technically ASN.1 as it has a 2 byte "token" before the KRB_AP_REQ that makes it malformed. I know its 6 years too late, but grabbing a KRB_AP_REQ from token+17 bytes is actually not undocumented behavior. – Mark Jun 21 '17 at 21:40

1 Answers1

1

You can use the AquireCredentialsHandle and InitializeSecurityContext functions of the windows SSPI subsystem to get a valid ticket and authenticate against a Linux based server.

First use AcquireCredentialsHandle() and than use multiple calls to InitializeSecurityContext with the tokens you get from your server until your authenticated.

schlenk
  • 7,002
  • 1
  • 25
  • 29