All geek questions in one place

NegotiateStream cannot work with Kerberos / NTLM / GSSAPI through SASL (POP3 / IMAP / SMTP)?

I am trying to get Integrated Windows Authentication (using the default credentials for the current Windows user) to log in to my Exchange 2007 account (SMTP / POP3 / IMAP).

I already have a working implementation for this, but it uses SSPI functions and therefore requires unmanagedcode rights (no good). I tried to use the NegotiateStream class for this, but it does not work.

You cannot directly use NegotiateStream with POP3 / IMAP / SMTP, since each request and response in the entire chain needs to be wrapped in base64 and covered by suffixes of the mail protocol, etc. So, I implemented my own stream classes that does this and injects it between NetworkStream and NegotiateStream. However, I noticed that the requests created by NegotiateStream and the responses it expects are different from those that I have successfully used (and those created by other mail clients capable of NTLM / GSSAPI authentication).

In particular, NegotiateStream first sends a request with a length of 5 bytes, which is not sent by other implementations. This packet is rejected by Exchange with a protocol error message.

The second request created by NegotiateStream is correct (starts with NTLMSSP). So, I decided to ignore the first packet in the base64 encoding intermediate stream and not send it. When Exchange receives the second packet, it successfully uses this packet and returns the correct continuation response. However, this time, NegotiateStream now wants to receive a response of 5 bytes, while the server returns a much larger response. In short, NegotiateStream sends a +1 request and expects a +1 response than it should.

I can avoid sending the first “redundant” 5-byte packet, but I cannot come up with the first 5-byte response packet expected by NegotiateStream. I tried to feed the same package that NegotiateStream tried to send earlier, but that of course did not work.

, . Windows XP SP3 Windows Server 2008.

Kerberos/GSSAPI, , , , Kerberos 5- . , , Exchange . , GSSAPI SASL ( POP3/IMAP/SMTP ), ? NegotiateStream , , , , 5 ?

NegotiateStream, AUTH NTLM, AUTH GSSAPI Exchange, . ( GSSAPI, NTLM) ( GSSAPI NTLM). 5 .

IIS SMTP Windows XP . SSPI- -NegotiateStream , NegotiateStream . , , NegotiateStream .

- , , SmtpClient - NTLM. , SmtpClient NegotiateStream, SSPI, .

Visual Studio 2010/.NET 4.0. ( / NegotiateStream).

: - (

+3
1

, . / NegotiateStream? GSSAPI/Kerberos SMTP/IMAP/POP3? , GSSAPI Exchange (, Rebex Secure Mail), .

SMTP- Exchange GSSAPI:

Smtp smtp = new Smtp();
smtp.Connect("yourserver");
smtp.Login("username","password", SmtpAuthentication.GssApi);

...
smtp.Disconnect();
0

Source: https://habr.com/ru/post/1755608/

More articles:


All Articles