GSS_ACCEPT_SECURITY_CONTEXT

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

GSS_ACCEPT_SECURITY_CONTEXT

Balakrishnan, Sivakumar
Hi,

 

I am trying to implement a custom Kerberos authentication for my IIS
application using an ISAPI filter.   I am expecting the
gss_accept_security_context tor return me AP-REP if I passed a input
token(contains AP-REQ) with mutual_authentication flag set in its
AP-options.  But in my program the gss_accept_security_context returns a
GSS-S-Complete but when I parse the output token it just contains the
Input principal and didn't contains a APP-REP.

 

 

Any help is greatly appreciated.

 

Thanks

Siva

 

P.S:  I am using the gssapi32.lib and the binary from MIT Kerberos for
Windows (2.6.5) that I downloaded from MIT site

 



This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: GSS_ACCEPT_SECURITY_CONTEXT

Jeffrey Hutzelman


On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan, Sivakumar"
<[hidden email]> wrote:

> I am trying to implement a custom Kerberos authentication for my IIS
> application using an ISAPI filter.   I am expecting the
> gss_accept_security_context tor return me AP-REP if I passed a input
> token(contains AP-REQ) with mutual_authentication flag set in its
> AP-options.  But in my program the gss_accept_security_context returns a
> GSS-S-Complete but when I parse the output token it just contains the
> Input principal and didn't contains a APP-REP.

It's unclear here whether the context token you're passing in is one you
got from another GSSAPI, or one you constructed yourself.  The AP-REQ used
by the Kerberos GSSAPI mechanism uses a special "checksum" which contains
additional data used in negotiating the GSSAPI context (see RFC4121,
section 4.1.1, or RFC1964 section 1.1.1).  Part of this data includes flag
bits indicating which GSSAPI-level options were requested by the
application.  In order for mutual authentication to happen, the 0x02 bit in
these flags must be set.

At the GSSAPI level, the way to do this is to make sure that the
mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to
GSS_Init_sec_context().

-- Jeffrey T. Hutzelman (N3NHS) <[hidden email]>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: GSS_ACCEPT_SECURITY_CONTEXT

Balakrishnan, Sivakumar
In reply to this post by Balakrishnan, Sivakumar
Thanks Jeff.. Sorry for the lack of details.

Here is what I am doing.

Runtime Environment:
        1. Linux Server Hosting KDC
        2. Windows 2003 server running IIS in a workgroup environment as
Application Server
        3. Windows XP as workstation running IE 6.0
        4. Workstation has been joined to Linux realm
       

In our Single Signon Solution,
1. The user will login to workstation (Kerberos realm on the linux)
2. Open IE and will invoke a page on the IIS
3. During the above process we like to authenticate the user using
Kerberos protocol

So I am implementing an ISAPI filter which will filter all the request
to the IIS.  

Step by step Handshake and ISAPI FILTER functionality
--------------------------------------------------------
1. Check the incoming request's authentication header
2. If not Negotiate(Kerberos) then reject (401) and request a Negotiate
authentication
3. Since IE is logged on the realm and the KDC have a service principal
for the http service on the application server, IE will send a page
request with Negotiate authentication header (this will contains SPNEGO
token, which is wrapper over AP-REQ in a base64 encoded format)  -- (IE
will set the GSS_C_MUTUAL Authentication flag (0x02)-- I have verified
that using the network sniffer ethereal)


4. Upon receving the valid SPNEGO token, ISAPI parse the token and
establish a security context by supplying the appropriate keytab and
server info.

5. After that I invoing gss_accept_security_context with appropriate
parameter and expected to get a return token with AP-REP.

6. But just got the GSS_S_COMPLETE with a output token that contains the
logged in user principal.



Thanks
Siva

-----Original Message-----
From: Jeffrey Hutzelman [mailto:[hidden email]]
Sent: Tuesday, September 27, 2005 9:42 AM
To: Balakrishnan, Sivakumar; [hidden email]
Cc: Jeffrey Hutzelman
Subject: Re: GSS_ACCEPT_SECURITY_CONTEXT



On Tuesday, September 27, 2005 10:11:56 AM -0500 "Balakrishnan,
Sivakumar"
<[hidden email]> wrote:

> I am trying to implement a custom Kerberos authentication for my IIS
> application using an ISAPI filter.   I am expecting the
> gss_accept_security_context tor return me AP-REP if I passed a input
> token(contains AP-REQ) with mutual_authentication flag set in its
> AP-options.  But in my program the gss_accept_security_context returns
a
> GSS-S-Complete but when I parse the output token it just contains the
> Input principal and didn't contains a APP-REP.

It's unclear here whether the context token you're passing in is one you

got from another GSSAPI, or one you constructed yourself.  The AP-REQ
used
by the Kerberos GSSAPI mechanism uses a special "checksum" which
contains
additional data used in negotiating the GSSAPI context (see RFC4121,
section 4.1.1, or RFC1964 section 1.1.1).  Part of this data includes
flag
bits indicating which GSSAPI-level options were requested by the
application.  In order for mutual authentication to happen, the 0x02 bit
in
these flags must be set.

At the GSSAPI level, the way to do this is to make sure that the
mutual_req_flag (in C, GSS_C_MUTUAL_FLAG) is set in the call to
GSS_Init_sec_context().

-- Jeffrey T. Hutzelman (N3NHS) <[hidden email]>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos