I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?
How to create SPNEGO token to be sent in HTTP header from Kerberos TKT?
3.5k views Asked by Ajit Singh At
1
There are 1 answers
Related Questions in KERBEROS
- Jndi connect to LDAP by GssApi KrbException: Server not found in Kerberos database (7)
- Kerberos Authentication for an API
- SASL GSSAPI: ldap_sasl_interactive_bind : Other error (80) no credentials supplied
- SQL Server Kerberos authentication
- How do I obtain a user's domain in nginx during authentication through AD with Kerberos?
- Kerberos ticket validity
- Unable to create Kafka Consumer using Kerberos Authentication System
- Does DataGrip Support Postgres Authentication with Kerberos?
- Setting up SOLR authentication kerebos plugin
- Authenticating and transferring files to the shared drive using Kerberos auth via SMB in Python
- Resolving Kerberos vs NTLM Authentication Issue in Cross-Domain SQL Server Connection
- Git clone failed with Krb5LoginModule error - JNA Library
- SPNEGO/GSS-API Golang packages for Kerberos authentication on MacOS
- VBA MSXML2.ServerXMLHTTP60 Web Request with Kerberos Authentication
- Deserializing a Kerberos Token
Related Questions in SPNEGO
- How do I obtain a user's domain in nginx during authentication through AD with Kerberos?
- GSSException Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
- SPNEGO initialisation failing in the Spring boot based microservice
- Supporting SSO for a REST API under Windows without using SPNEGO
- Liberty - CWWKS4310W: The client delegated GSSCredentials were expected to be received but were not found for user
- Enabling SPNEGO security in Angular
- Kereberos Authentication
- Single sign on with AD Service Account user with Kerberos results in Authentication error
- Keycloak and Kerberos integration using curl SSO
- How to use DaoAuthenticationProvider as a fallback for SSO with Kerberos/Spnego
- WWW-Authenticate is not being sent with HTML login form of Keycloak
- How do you verify a SPNEGO token once it's generated in integration testing
- Traditional WebSphere SPNEGO authentication fails - SECJ0056E: Authentication failed for reason Cannot find the user
- Adsys can't fetch GPOs from Active Directory
- Migrate SPNEGO configuration from Wildfly 18 to Wildfly 28
Related Questions in PROXY-AUTHENTICATION
- Using Kerberos/ntlm2 auth for proxy plug-in path in chrome options while using selenium chrome driver
- How to set ProxyAuthenticationStrategy in HttpClientBuilder?
- Getting 407 Authorization error while executing RestAssured code after providing custom proxy details
- ERR_UNEXPECTED_PROXY_AUTH for preflight request in chrome only first time
- Ticket validated but no PGT in the ticket validation response (CAS 6.5.9)
- Proxy authentication with python requests
- How to use Proxy with Username and Password in Selenium C#
- Using connect-exchangeonline PS via a proxy from within C# (.NET Core 3.1)
- WebRequest is not able to validate invalid proxy credentials after validating valid credentials in vb.net
- Unable to authenticate Proxy using quarkus-microprofile restclient
- How to provide Credentials in http Proxy in Dotnetbrowser?
- DotNet HttpClient.DefaultProxy Property not reading system settings on Win10
- Couchdb and proxy authentication
- How do I auth a user:pass proxy in golang
- How can i change webdriver proxy via chrome extension without closing the webdriver?
Related Questions in NEGOTIATE
- Problem with Apache PHP CURL and CURLAUTH_NEGOTIATE authentication against EWS Exchange Webservice
- Is WebRTC perfect negotiation necessary?
- ReactJS with Windows domain login SSO
- SignalR Error! signalr/negotiate gets a "403 - Forbidden: Access is denied." error
- Authentication with 'Authorization: Negotiate' in the initial request with WCF
- How to use Windows authentication as an alternative to password login? ASP.NET Core
- Win SSPI Negotiate auth when running a service and client both locally
- SignalR working on Localhost, BUT not working on Server win server 2019 with IIS
- Cypress: configure hardcoded user for api requests with cypress-ntlm-auth proxy
- .NET HttpClient do not persist authentication between reqeusts to IIS when using NTLM Negotiate
- Get Angular working with Waffle Spring boot + Spring Security and embedded tomcat
- When using --negotiate with curl on windows, SSL/TLS handshake fails
- IIS web app stops working if Negotiate:kerberos is selected as provider under windows auhentication
- webHDFS curl --negotiate on Windows
- LEGACY EDGE ONLY: HTTP request is unauthorized with client authentication scheme 'Negotiate'. .'
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
You can use gss_init_sec_context for the purpose.
Some background:-
SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)
for this pupose do the following:-
Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.
Now use krb5_cc_store_cred to store it into that cache
Use gss_krb5_import_cred to get a GSSAPI token
Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.
Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-
and then pass this as an argument to gss_init_sec_context.
If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.