Note: I am able to make some progress, see editing for my current question, thanks.
I would like to use libcurl for Windows to access Kerberos / GSSAPI authentication websites. At first I tried to work with MIT Kerberos, but I also need NTLM authentication using SSPI (libcurl does not support using as two different implementations). Therefore, I am looking for authentication in Kerberos using the Windows SSPI library. I managed to build libcurl with support for SSPI and SPNEGO.
Now my problem is that I need to connect to any provided realm with the provided credentials (this may be the area of โโthe current user or another). From what I understand, I need to call AcquireCredentialsHandle and InitializeSecurityContext from secur32.dll / security.dll to get a Kerberos ticket.
But every time I try to make it work, I:
- Do not purchase any tickets from the DC provided credentials / area in the SSPI cache (I use kerbtray.exe to view entries).
- Should I see a ticket in this cache when using abstract methods?
- Using libcurl after calling ImpersonateSecurityContext with client / server feedback in InitializeSecurityContext / AcceptSecurityContext and looking at the packets in Wireshark, I see that libcurl does not use any provided credentials and doesnโt return to NTLM (this just causes authentication to fail)
- Is the loopback client / server working correctly (I could not find any example of another implementation on the Internet)?
- Should libcurl use the granted thread authority, provided the impersonation was successful?
- Is libcurl supported on all NTLM + Kerberos with SSPI (I'm not even sure about that ...)?
To facilitate debugging and tests, do you know any tool for adding entries to the SSPI cache, for example, kinit from the MIT Kerberos library? I am using Windows Server 2003 Resource Kit Tools, but I could not find such a tool ...
Any help would be greatly appreciated!
EDIT
Ok, I found out how to do what I want using libcurl. Finally, I assumed that I had to do some work with SSPI in advance, but Curl correctly supports this.
curl will authenticate in the kerberos realm and store it in the LSA cache when using a properly built version of curl with the SSPI and SPNEGO flag.
When using curl.exe for testing, you need to specify the -negotiate argument along with the username / password. However, when using libcurl, simply set the CURLOPT_HTTPAUTH parameter to anything that contains CURLAUTH_GSSNEGOTIATE (for example, CURLAUTH_ANY). In my tests, libcurl did the expected Kerberos handshake:
- Contact the web server (web.b.com, where B.COM is the Kerberos realm of the web server).
- Unauthorized response received, WWW-Authenticate set to Negotiate
- Libcurl / SSPI sends TGS-REQ to the domain controller (DC) of the current user's domain (say A.COM)
- Somehow, the next TGS-REQ is sent to the web server domain controller (B.COM)
- The B.COM domain Kerberos ticket is received and the entry is added to the LSA cache (can be viewed using klist.exe or kerbtray.exe)
- Libcurl sends an HTTP request to the web server with authorization information (GSS-API)
However, and here is my new problem, all this handshake was done with already registered credentials, for example user1@A.COM. Since there is trust between A.COM and B.COM, and my user has access, it works. Would I rather use the provided credentials (user2.B.COM) to log in?
Also, I'm not quite sure if it is possible to add an entry to the LSA cache of a different user than the one that is currently registered?
How can I do this work by impersonating user2.B.COM so that libcurl can access the ticket associated with this user for authentication on the web server?