curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: spnego sspi delegation [windows 7]

From: Claudio via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 10 Oct 2019 09:24:26 +0000

>-----Original Message-----
>From: curl-library <curl-library-bounces_at_cool.haxx.se> On Behalf Of Claudio
>via curl-library
>Sent: Wednesday, July 03, 2019 1:56 PM
>To: curl-library_at_cool.haxx.se
>Cc: Rinaldi, Claudio: Quants (LDN) <claudio.rinaldi_at_barclays.com>
>Subject: spnego sspi delegation [windows 7]
>
>
>This mail originated from outside our organisation - curl-library_at_cool.haxx.se
>
>Hello Everyone,
>
>I have a problem with curl lib in window which I have managed to quick fix it
>but I would need some further insight from experts.
>I am using curllib (or curl command) with --negotiate authentication on
>Windows and "--delegation always" (or policy) parameter. We use Kerberos
>authentication for what I know.
>The server I connect to will forward the request to a back end system and my
>credential must be provided to be authorized. In Linux seems to work out of
>the box but in windows I had always had an error like
>
>"Could not impersonate INTRANET\XXXX as authentication token was not
>provided".
>
>The ticket stored in my box for the server I connect to includes the following
>attribute
>
>Ticket Flags -> forwardable renewable pre_authent ok_as_delegate
>
>I have managed to make it work via adding the flag ISC_REQ_DELEGATE to the
>call in spnego_sspi.c (around line 250)
>
> nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
> chlg ? nego->context :
> NULL,
> nego->spn,
> ISC_REQ_DELEGATE | ISC_REQ_CONFIDENTIALITY,
>// <== CODE CHANGE added flag ISC_REQ_DELEGATE
> 0, SECURITY_NATIVE_DREP,
> chlg ? &chlg_desc : NULL,
> 0, nego->context,
> &resp_desc, &attrs,
> &expiry);
>
>Now what I wanted to do is to handle the parameter --delegation properly.
>First of all I wound need to see in the security package support DELEGATION.
>Hence I have checked if the
>
>nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
>
>TEXT(SP_NAME_NEGOTIATE),
> &SecurityPackage);
>
>unsigned long isc_flags = ISC_REQ_CONFIDENTIALITY; if (SecurityPackage-
>>fCapabilities & SECPKG_FLAG_DELEGATION) {
>
> if (data->set.gssapi_delegation &
>CURLGSSAPI_DELEGATION_POLICY_FLAG)
> {
> isc_flags |= ISC_REQ_DELEGATE;
> }
> else if (data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
> {
> // error not supported ???
> }
> }
>
>
>Of course is not a gssapi_delegation but I assume sspi should mimic the gssapi
>interface/functionality so we could in theory use the same flag.
>
>Question 1: Is there a way to force the delegation using sspi ? or
>CURLGSSAPI_DELEGATION_FLAG is not supported e.g. there is no way to
>force if the Active directory does not allow it?
>
>Question 2: When I Iook at the fCapability flags in the SecurityPackage
>structure for the loaded package (secur32) I have the info below back (which I
>have pretty printed). The SECPKG_FLAG_DELEGATION is false so I am a bit
>puzzled. I can make it work but the library tells me the delegation is not
>supported.
>
>Now my knowledge in here is very limited.
>If I want to reuse the delegation option what flag do I need to check to know
>If this functionality is supported ? If It is GSS COMPATIBLE ?
>
>Thanks for any help you could provide.
>
>Best Regards
>Claudio Rinaldi
>
>Security Package: Negotiate
>Security Package supported flags: 83bb3
>Comment: Microsoft Package Negotiator
>============================================
>
> SUPPORTED [SECPKG_FLAG_INTEGRITY]
> SUPPORTED [SECPKG_FLAG_PRIVACY]
>NOT SUPPORTED [SECPKG_FLAG_TOKEN_ONLY]
>NOT SUPPORTED [SECPKG_FLAG_DATAGRAM]
> SUPPORTED [SECPKG_FLAG_CONNECTION]
> SUPPORTED [SECPKG_FLAG_MULTI_REQUIRED] NOT SUPPORTED
>[SECPKG_FLAG_CLIENT_ONLY]
> SUPPORTED [SECPKG_FLAG_EXTENDED_ERROR]
> SUPPORTED [SECPKG_FLAG_IMPERSONATION]
> SUPPORTED [SECPKG_FLAG_ACCEPT_WIN32_NAME] NOT SUPPORTED
>[SECPKG_FLAG_STREAM]
> SUPPORTED [SECPKG_FLAG_NEGOTIABLE]
> SUPPORTED [SECPKG_FLAG_GSS_COMPATIBLE]
> SUPPORTED [SECPKG_FLAG_LOGON]
>NOT SUPPORTED [SECPKG_FLAG_ASCII_BUFFERS] NOT SUPPORTED
>[SECPKG_FLAG_FRAGMENT] NOT SUPPORTED
>[SECPKG_FLAG_MUTUAL_AUTH]
>
>NOT SUPPORTED [SECPKG_FLAG_DELEGATION]
>
>NOT SUPPORTED [SECPKG_FLAG_READONLY_WITH_CHECKSUM]
> SUPPORTED [SECPKG_FLAG_RESTRICTED_TOKENS] NOT SUPPORTED
>[SECPKG_FLAG_NEGO_EXTENDER] NOT SUPPORTED
>[SECPKG_FLAG_NEGOTIABLE2] NOT SUPPORTED
>[SECPKG_FLAG_APPCONTAINER_PASSTHROUGH]
>NOT SUPPORTED [SECPKG_FLAG_APPCONTAINER_CHECKS]

Hi Everyone,

A couple of month ago I sent the above email but unfortunately I did not get any answer . I have fixed the code locally and it works but it would be good to get this in an official release as a proper fix.

Best regards
Claudio

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-10-10