Question

I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?

Was it helpful?

Solution

You can use gss_init_sec_context for the purpose.

Some background:-

SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)

for this pupose do the following:-

  1. Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.

  2. Now use krb5_cc_store_cred to store it into that cache

  3. Use gss_krb5_import_cred to get a GSSAPI token

Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.

Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-

 static gss_OID_desc _gss_mech_spnego = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; 

and then pass this as an argument to gss_init_sec_context.

If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top