How to create SPNEGO token to be sent in HTTP header from Kerberos TKT?

Question

I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?

Answer 1

You can use gss_init_sec_context for the purpose.

Some background:-

SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)

for this pupose do the following:-

1. Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.

2. Now use krb5_cc_store_cred to store it into that cache

3. Use gss_krb5_import_cred to get a GSSAPI token

Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.

Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-

 static gss_OID_desc _gss_mech_spnego = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; 

and then pass this as an argument to gss_init_sec_context.

If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.