question

VishnuGopalakrishnan-8317 avatar image
0 Votes"
VishnuGopalakrishnan-8317 asked FeiXue-MSFT commented

How to extract Kerberos token from the output buffer of windows SSPI API?

We have implemented Kerberos using Windows SSPI. The authentication was successful.
We want to store the Kerberos token for the future use.
How could we extract the token from the SecBufferDesc returned by the InitializeSecurityContext?
Also, how to check the token is correct or not?

bool bHaveCtxtHandle = false;
CtxtHandle contextHandle = { 0 };
SecBufferDesc outSecBufDesc;
SecBuffer outSecBuf;
SecBufferDesc inSecBufDesc;
ULONG ContextAttributes = 0U;
PBYTE pOutBuf = new BYTE[pkgInfo->cbMaxToken];
outSecBufDesc.ulVersion = 0;
outSecBufDesc.cBuffers = 1;
outSecBufDesc.pBuffers = &outSecBuf;
outSecBuf.cbBuffer = pkgInfo->cbMaxToken;
outSecBuf.BufferType = SECBUFFER_TOKEN;
outSecBuf.pvBuffer = pOutBuf;
lSecStatus = InitializeSecurityContext(&stCredHandle,
bHaveCtxtHandle ? &contextHandle : NULL,
pcPrincipalName,
ISC_REQ_USE_SUPPLIED_CREDS,
0,
SECURITY_NATIVE_DREP,
bHaveCtxtHandle ? &inSecBufDesc : NULL,
0,
&contextHandle,
&outSecBufDesc,
&ContextAttributes,
&SecurityContextLifetime);

windows-api
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hi, @VishnuGopalakrishnan-8317 could i know how you implement the Kerberos authentication using SSPI, could you share your sample code? i want to use SSPI to set up secure communication, but when do authentication, it always downgraded to NTLM, am not sure why. i have used setspn to register the SPN name and set it as target name, but still failed. could you help me? thank you so much!

0 Votes 0 ·

We have taken 128589-image.png as a reference.


0 Votes 0 ·
image.png (3.1 KiB)
judyzhang-6878 avatar image judyzhang-6878 VishnuGopalakrishnan-8317 ·

yes, thanks for your reply, i have seen this article. And what's the parameter do you use for target name in InitializeSecurityContext? just use domain user name? do you do some additional configuration for domain? because when i use domain user in this authentication function, it still uses NTLM protocol.

0 Votes 0 ·

1 Answer

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered FeiXue-MSFT commented
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, how I use SECBUFFER_TOKEN ? i.e in which way we store it? Decrypt? or binary or char? Any samples please.

Can i use QueryContextAttributes(&contextHandle, SECPKG_ATTR_ACCESS_TOKEN, pBuffer); On my checking it failed with 0x8009030b

0 Votes 0 ·
XiaopoYang-MSFT avatar image XiaopoYang-MSFT VishnuGopalakrishnan-8317 ·

0x8009030B is SEC_E_NO_IMPERSONATION. And you may try the char token.
Here is the error source.

If the security context is for a server or is incomplete, the returned handle may be NULL. Depending on the security package, QueryContextAttributes (General) may return SEC_E_NO_IMPERSONATION for these cases.

0 Votes 0 ·

Thanks for the reply. This I could see. Is there any cpp samples available to fetch the Kerberos token?

0 Votes 0 ·
Show more comments