To start with, our product is written in Java, we use a custom transport that wraps org.apache.http.client and javax.security.auth
to communicate to windows Remote management service.
What we have now: firstly we authenticate through kerberos, then send the SOAP messages upon either HTTP or HTTPS, both work and reply 200 status code and corresponding response.
But we have a customer request that they want to send messages that are encrypted over message level over HTTP.
That means, after the authentication established, we need to encrypt the SOAP message, then send it using the HTTP connection.
I referred to this document from Microsoft
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/3fc54d8b-b087-486e-9f50-8253e9e30b43
and formatted the whole header/data structure, but I always got back 400 error, the event log in windows server showed "couldn't decrypt the packet".
So apparently there was something wrong regarding the format I sent to the server so it can not be parsed. But there was no detailed log or events store from windows server, so I couldn't tell what happened inside windows server.
I enabled wsmantraces and got a wsmtraces log file.
But it was in binary format, I couldn't real or analyze it, I could not store the log in other formats either.
Here is the tcpdump trace I recorded from the server
@t.^.a........P....I..POST /wsman HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Connection: Keep-Alive
Content-Length: 0
Host: hp-dl3116.corp.vmturbo.com:5985
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.17)
Accept-Encoding: gzip,deflate
Authorization: Negotiate YIIQzwYJKoZIhvcSAQICAQBughC+MIIQuqADAgEFoQMCAQ6iBwMFACAAAACjggc6YYIHNjCCBzKgAwIBBaESGxBDT1JQLlZNVFVSQk8uQ09Noi0wK6ADAgEDoSQwIhsESE9TVBsaaHAtZGwzMTE2LmNvcnAudm10dXJiby5jb22jggbmMIIG4qADAgESoQMCAS2iggbUBIIG0HW7kbG/UMirIHG0Nt5FeoAz5LXh9GxD2vjYtNZySK81+owjt141n6oArs6bRrrqT7/14mdkYkiect/8s/vkSvsQz+RZdSim7zDGbF0Ei4XjifUFY6XCpu/jVCFzr30UYjeTO+teSBfGVIuXJ7sIn5+iFJklCPEjEn23oyLMxApe/tNduQmkqHT5uDEW4zAdfe47m3sAIVPaoHZIVrypn6zJ9o8qKanPP+RkHmBRcfLT9pyWli0nZQSsaNiSeKSV16VQJ2e76Y7GBYQlYZEhZfd1EBruGKmCfyg5KJV7ku6fMcdTYKSurIa/4sWXD5vzn2+3PzgV6YzkK+nlPMPQn1b/OzK0Fc77sgyQ/93lAdR5O++A4awue4WWsluyCJPHK+YlSrXma50uQMpa+H9FwXJqJrWhp2zwNkO/uylOZpNaRFgoKVVttTjm9KWoYswxONNfGD4/5j5bqLcoi+Yv2BaOl/atJbbtU5hrCGCLWNcgHoQwZtxOApcRk9spFWmS4zayNCsysOXUf43qhqJwiU6YmUk5Ry2L4XiMTgkZBKmmh1CaFvBrA/gnyNcnrwXdiXj42gRQBLgB3EnPv+4yPKmyWGU75rLTWVi32KEG+8JA/cFQpJ39N3c9bIfj1srAFDn7ZSR7Keg93Yz00K7dRvpZp5UWriyEsUObX/9lB/8pnhpzp02eT5u3sXwqMeEjkKIy54HYcX0K3oDz4ar0rJvSs+54OhnT2N13KfkHzkG0o+Y2a5jsxD1ZXjFEK7Cdk43yfBL4r+0kCnOLJPziOWMDvFg8UqGjKd6aEeWB35Qc1eYcJ8WDN7S/uTE/2s9yAG5q0uhgqDo26I2KbQpEYhSWm1qqS8VLqTj0LMD7Ej1vTaXgzJxeqO442ozaD7utPkUV5JBpb2bOd8M7FVWYiSTZJpa3pu8+018Dp31L+81dK8BGhPmJMh4SkkfiNeoI/gdhW1NWKu7C8Bz2tQtMCiThUGX7T7vsm89KGZlJ3SIyI3Sq9ekfap2XQTtN/er3Qjbbl/13FVM4Bh0huFfOP5c1LD7gUUyTOf8mH372lH2hw8zEJaC49q8G7eJTlzufhJKRzT8MuK4UphgNcydQnjz4j64Oi1ZDy3uSh1e2krxwOrkZ27FRVXCETQnXHZE1Ho7aZV1BJndKDPQNof3SsTcW9QU6z6DCgcCRqk8IXxiMjiBCAiFS9sjl0Dn1VvXUyAc/sf6T42lOg/rapo/xhOygnsIK6iDNsT38kZWcPA/ANByti1/DZB3PMe8md9AVahmY3IkbRsaGMVb2YACv7W2aOWNt67l/JoCfZXFEV0HNHOM1WYcdj4YH+csdozxMfflRkmkTlHBkundPGOG/en93RenYQX/byJpamgZ1xJt3KnBfr5wDUIx9lOeWgF854QIjkumLZrc0igHM6p0LJk4MYHiv6i49SbkZLVxeR6u4q735nnyoipJSfg6m8f3OCEMMsRUkjrQLmgxAiPrCY0/42ibUV8ILeTJaP/yBADrrmTrsnbVaHwPv8P14r/Tfp7fd0gL0tl267Ae3T1yTexAJ4vdSLYrdDCTLZBF42HftTwLj8wZMiyJuk6ePBHTBR7ExEwxy/vMt5JjL0mBicB55rKI424k9aDvTLtGR/ukx+tSgiIEBP4KuYkXir4DB1Sc0mQjR6alYpFcRZR7+afdKL20NZw1dR0vXHm6n5+MGmePZLi7SrqTwCiu0Vr5scPjq1eV53/mRCGwjJ06xEdb2fyF81q9Mlc9ksJ8g+zujMNWxsoLtjtNN5dxzrertjhOlwugPxgU6+yed8n4sKSgFVxzG6QRK1gTURDY7SMy/ugSbhkPj/aKV9ueTMVB8o7zx1OW+icOOd59PxlQqw2Q2SXWUlGMWAm8hTfKSxtR7KhR8sfkaB0nfruJelJUbRHoR/zLSWVDrAMpXbYg8P1yliXcOdOCFdGa3GPoclBViCPgTmFAbTjPqVr2aNrX+OqGZdiUq7vjFPEqiNs7/ITA2Z397MXWG1GKga6OlS4tyh+ZXaHklPbBa4n2PH4toD93Bbwtu2Tlj+vVv6pZLmqDpLSksDKsMXwT+L+H1DVI9gm5Cgfn9NIdYYU6vWZxXuCVo3HeJVeglBohfzyLpifA5sHCySuZIYt2XfLn0R0DU7GTPRnXH90LbRQVCYlClaPw+9iL0Cxttt7g6CQZsgQZ12CZUNmycmbiFZod3+ZhTr9+v8ndlrZ8DoovYE0ti5HNr+baHbCVCxtVynpolJZ0pXu8LZFY90dsRqqr2iK7yACgmW0TA0pVxfmjYZl9ItfQBaPXxFzL/slM47NRuesikggllMIIJYaADAgESooIJWASCCVSTNDYWg1mRC2V0V8ruGmDjztcirLvh5+5zjHKzjgRXgKu/nynSnW2NjfIVKk9k42F4wUEhe/NW8llp72MlQFxfTvN+nykT9C6WgTN5Az24I17TtIC0CxIF63JmkOaI4cL3pbW0dEp/+Xsr7SVNEbq62aDivIEm81pMvq28BaW9ZcVDgUobDT2t8QNUAYr0awMiWzahYb0YYZsV9C4UFzUBHlPPBPmBZ+K9gNFBGC//F8V0oDTrj1pccpXf2aMyKmubUvz4zb86KgSPUNnpE1YAj9SB1fq2a/+az57JXUDLuq+aLfegYKWkm6xFOxohcSE8cYaI8GiJUYDiCjD8YIMVSOL9X7sRpBfVpf1KqAaWLGokTLugWqbxDM8EJN7oCO2fIx1Zh2u1sXISYRmcaPfzZciAHPc7YbgJsGf6NW0/j+J1E9QHQeU+yTCvk4Jn6RiJuJeR2E++5J7FWY2SYIFUJh+DYfv/hikk5nGsAiWQ6VJQ7df19LfCU+9XrrAVLxowtq+ScZdpF83vNWQODOQmE0MkWnfP6hKr9KCTLkrRIu+iw1f5wvx+qcop1OSD1bNY25lEgaKoOgPIJqOpB/atXo6Jtd4yRJVXYUFcJXZ8oQx7FjQFh/2tM4B85AC9IyZjh7xZM+Obfd4kDk/9g7biaYUhvTyGHHcukWErRo8Bt7GPX5X6gW1OmxSAwyEwHXGrrKKm4gIzHpN4a8zksieFlm+oFYqiC3MV5GG307s7xzUWRdtB+0RtVeYlRVodNvGNbyg486QaXoFu+ClV3vvYFCifZk970/j3lZYdEUsIvxQ59v0rXLY7i8uJbMBhedmtl0Sg0HXrEZZiZZBmYe0t+4Bi+Y1OmIqSOZXzpaRKes37x/crk5M35PKwOIbZkphnxN2/NDBYgwsQSABUqxoWpXH90zNt95WBd88sLWCy+XKWSlZzUt10v3kn5nO7PwaqWwj/kVGn2HD712HlNwJbnw7uePb6tDp/GF4hHORXBF7xAkUpn2o1UjEG7UR6qAOI6KbiaCCJjeJZ5h4rBK0sb21dpyOvT9u0UIULlCC4Ohayf83/4oJYl8MzVF0tY15tKE3UKrjj8Gur3qVlEWdmMM1IXbT2pxnpnu5V/fNvyyeXRBCEt5qszqILt3jrNfB8bo65Qwo2z8++iY6OYch0QWyqXwKki+JWV2mulGtIgzbmpnk2pxzOUrsjHCIrkepzhel/eNv0am3lkoXWDc+mBI6S8fXEqBzKMY8ihwcmMFDbZgP1Qc1MZgzimg9Zs0Owc/JFxtrizmV4AJ4OONExAKL7D4lgMzucN4zu
19:26:32.536941 IP node1.cluster.local.58462 > hp-dl3116.corp.vmturbo.com.wsman: Flags [P.], seq 4141:6013, ack 1, win 229, length 1872
E..x&.@.@...
.z
@t.^.a........P....m..ozhYVAHN4ZPOSk+kiZlHDRyNbO8nYWGot+gbvKoXI1Jp0Nk4EuOoNa22FAwf/ORLqjDlG/Ae3UMGn2QZZhCNg2fOGZ2UNb7+2ds2suMTEU5oPth3YVxBvJpmjUJsOcwSB3UeA/b3w7uiiqMXlvofJZ5QZBVPP6BmmxHDKxNrjUOBQ+bcHpHAvlsC3az+2FRjC+H/kDEyPY8aD122mvjNtMrzUo4pluIzIzlPeT5O1UHPmLyfYiLfG79ZaRhdBjZtFnxmkiej8zBxuYzulAlCbiDM8ceuhh7Ynt5xYl4JWMRzVGqF1cM3hY03ThPP00OcMEbmSwp2Gm3XZWQSu72fYSQa1wXilwF/krivBUnqmPrH9a/LlhDF8wgrprixHVR4dVKZqyXvHsiuB4PPn9GpuO7pp1BBzAu/hDN/edZlarLvwsIeC2+AQGqjAlbtpo2vFc/8eG6SkkCgcE8xr9FBkndc/hih+77SPBsZHESj8Obs7Jw2yJBrPEnhfTamx9mpBO+DVw8ndaiQfXMgLIt9GlcXMTBwtv70qjQzR3iKE7dQNDohYprH3mFdhxwap1Pui9NBak4gMLunf4447RY0m0DUQ+OsNBVLuTTny41tmWXl+fYWyPemeFNBJ4EHuc3Z3dnL2VKH2CeZtoL9vhNob+0V5gxjVti3fkZQ9Rt/6shfGBonYW+NTNOLxRsY3b2L4jrVVvmw+1xDDOFpv1HmlNd3Orr09oJKbbS5Ztj72rwJomA+RJBfXIKErlS6G1ztrD2VgB+y8w9VAHGVmilCrGHkjiqtpWWxtoaVZ8yQNPcfwBLEqb5ULjomTcMjKm4DuO2iAxj5t5BBOYKa6YmjrFHQlVx+FpLy9XQbrpfqM/6+uYr7ydU66ZyX/HmK4hJA36UDt5U9Z2V+c1aQg9hJr39atmrPEdRYKVNervIeCZQcgrl9pP3y/URAHYSkMWLpPpo17Mw0YGjNxgn8eXdB36NvpEu23ZpV3cehSazQBF89C31gWODsKWwjbQ/QjarioMWtHJT2A8AmWpRbNN/PONxnrI6KG9oRez1hF324DFPnXKOsFXNdZ+bKq+DFghYToUWXd7D1b+w4EiK1Jt5oq36FvqCXhc+A1/V98WiLPDvwadY5JCZirUpKErFi2NhR6EICJI+Vljw5ZPx0OwYBTYKdWfpTYD4R5gMKOiI+S6ONa5rERZcni6GjlcfiL5fptEuEVTKoutGxIkl1hn/QtcT+BAy+8cBJqhXeHFIEsrWMMpzN/IUPiMvPO2BCiRDVtgvYD07l17UqgyClMAM9Gqb3QQqTe+NxDGtjKkiPk8hMWUJ0IO1bDki4CGo95mxDlmIBskZATImXT6xvNH8Wg2Qp4d79SD5ONFSyEIFht0f2U99XeCgvVvZ4rnu1gm8t4cW3BY5QchicHM8Lj1MEGBelZszEG1WXVOPN0BCQTl0+ev21Hx50bTdS4ZIK1XC07+E+g/AKsjnB6VOySJj71bfZG9f3XE+C5K/hhxkeUwmArhwOMBH+/f2clc+yLVQJcd2ZKIl3+UZLFEzHrF++qOn5wAyZgPDoKmh1l1yNn8RSAzxUet+rcEUGSIV7euElEtjtoYooK/9DQe5y0xr9GMbbx1z2QdfCdWeohGiREhY/ESZbtdMekznIC0oj3Jgu4/ACKyi9O4KjUxIDXNQaChHKSiP1YxE6nN2Y+c7HXRqxvZKkOtHgQTBunkJ3Zza9QfjOQ9Bq7z0Dlm4C1VJCZB3WOfLqfwbsK/+Js2GsMZjcv0Xqj/jNBh0KVUI/SQx/uP0eBRK5qtMhX9JpqkyaaZ9Ahuj8xO0JXv6kccRwsT190sRidppj5CRqOn2BmcWp0S6hD/SIEEo=
19:26:32.541106 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.58462: Flags [.], ack 6013, win 8193, length 0
E..(Mz@....S
@t
.z.a.^........P. .q&........
19:26:32.543721 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.58462: Flags [P.], seq 1:343, ack 6013, win 8193, length 342
E..~M{@.....
@t
.z.a.^........P. ..a..HTTP/1.1 200
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvTXKKgD8IEy7CCOgGMSkDnjDjj/PTvXa8Nx8Ut4url6jfy9f3JWzARAlpwJ4xG4EkP601SAhv2FnHp4VLlLK0y2MOjD4tnx1EZRvLLAflEMMmAQCK/7KOfC3KUoMLcMujdgv3DojM0QjI4hEWFdbD
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 28 Mar 2023 19:26:33 GMT
Content-Length: 0
19:26:32.543819 IP node1.cluster.local.58462 > hp-dl3116.corp.vmturbo.com.wsman: Flags [.], ack 343, win 237, length 0
E..(&.@.@...
.z
@t.^.a.......QP.......
19:26:32.877522 IP node1.cluster.local.58462 > hp-dl3116.corp.vmturbo.com.wsman: Flags [P.], seq 6013:8283, ack 343, win 237, length 2270
E. .&.@.@...
.z
@t.^.a.......QP.......POST /wsman HTTP/1.1
Accept: */*
Content-Type: multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"
Content-Length: 1946
Host: hp-dl3116.corp.vmturbo.com:5985
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.17)
Accept-Encoding: gzip,deflate
--Encrypted Boundary
Content-Type: application/HTTP-SPNEGO-session-encrypted
OriginalContent: type=application/soap+xml;charset=UTF-8;Length=1644
--Encrypted Boundary
Content-Type: application/octet-stream
...............+!yRZ. ..?....{<t_./4.o=..s..YRp.t.n.!./E....i..F.a.:...5p}.fg.U..a.......\..@..6.%;E.'..8-..dBo.^^f...........[_>n ....f..Q.D..=gD.*+U`A.... ....Jz.u8j......-.......T1Kx..v#.$R..B.f..3.5....b[.6..5......v.....I.....-.Uw.O...2].?u .....?.,ed............"..OE..3M..,....O.e3..E....e.h.h...8.....G..bx.{..,Dx..(5..H.Ij......wb.\..c...{..'......>..\-h.."...#..PI&.%.J;=.}....(..k.8...q...&}..l>! 1.... .s....}79....o;.&".E..~.0..n>4.....%...\.1.....Ch*]..q.X.. .....%aR....x.JgbV.zX..D..`*..\...............+T[......3~.b-z..+G.i.../.."..'.._..q.zig.?^z&..[.M.u_...f.fA
...b..|.I...,..%..P]..z...E`..M.....{L .../.N.5.H..*.y..&$.....Aq....iT|........4....~._Ld e.UN.h......g......d..fb`...v7....Ye.......r.......V>YY..S..........IS..Q./;..lS.....,...../#X......T,...[#O..~)..+.4...........@...2..H........wZv....
.J..g
.....$...G..%~._.9..|
....ny......0...w+..........e(W.K!>to...r..L.W..lt..%.:...`~...,..;,.J.vd...K f..n..f..w....f....<.....Mf..2.'...~.....G..'.4&..s.ci..rZ..FN2...=.. ..3...l.y..W.#.I...{&...Q6.....}..dZ.B/+H....s.S.....92h..?...oa{..q.,.t.w`0.GI..w".c..j.&._..........,.....AwC..w.0k...R. .3...n.;s...[..n./Re!F..3I....!H.rZ/.m.2.4....a.R..$.......A7d.....rk......dl-.QZs..-...P..y.S.^....58..D..v..5..=.0..p.~.....,[y....6]]..+%Gx.9.F|-..2b.NAuA.......V.....2
..H.....Z"..qX7.+G...C .rf^T ..b.y( .e..:..Y...K...%..ZN......s<..?....I.6aHE..z..K~..\$o..*\.K.%....~|.....oOB.......o...~...6..h.1~...C.%.`l........'j...-...5.. .a....I.[..t...&K { .x..|...:.e.....sa......n.6...^.....F.$$~.....c(.o..N+..L<..A...G.c...bepY |y..K./.N..Ob:..W.........s....@ xPuq&+........,h....f.s..6..b........<.u3dzp.....>f...zxU).$.J.D....7x.K.HFd.....R.....89....Br.m..%oR...?......F....@.V9--Encrypted Boundary--
19:26:32.878181 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.58462: Flags [.], ack 8283, win 8193, length 0
E..(M|@....Q
@t
.z.a.^...Q....P. .f.........
19:26:32.878500 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.58462: Flags [FP.], seq 343:466, ack 8283, win 8193, length 123
E...M}@.....
@t
.z.a.^...Q....P. .....HTTP/1.1 400
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 28 Mar 2023 19:26:33 GMT
Connection: close
Content-Length: 0
So I sent the first response to negotiate the protocol, and the server returned 200 with one authenticate token.
After that I sent the encrypted message following the document here https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/3fc54d8b-b087-486e-9f50-8253e9e30b43
but I got 400 with no clue.
To compare it, I also tried to send the same encrypted message over HTTP from python using pywinrm https://github.com/diyan/pywinrm
Here is the network traces:
OST /wsman HTTP/1.1
Host: hp-dl3116.corp.vmturbo.com:5985
User-Agent: Python WinRM client
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/soap+xml;charset=UTF-8
Content-Length: 0
Authorization: Negotiate YIIIQgYJKoZIhvcSAQICAQBugggxMIIILaADAgEFoQMCAQ6iBwMFACAAAACjggc6YYIHNjCCBzKgAwIBBaESGxBDT1JQLlZNVFVSQk8uQ09Noi0wK6ADAgEDoSQwIhsESFRUUBsaaHAtZGwzMTE2LmNvcnAudm10dXJiby5jb22jggbmMIIG4qADAgESoQMCAS2iggbUBIIG0EYbs23YcEl8uxBssxQMxCBrb88xHyS2B0d+qtvD0G75ghM3u4D/s2n30kW5N5YmpbdvaqIlI/b2ktYBR2BhGYzdqtzqAnSE9u69XF7o8uAehDpmAzbQhpOjU9tqbkGYSi9U0iXH+AoEHq+yr/6/92paff5Aq4n0bEs2XxF9gKzNxofJZHXoq7PFfeRr5dX1HBkVGtNKFS+wiNY9e5Tx9ciXYWxd2zUfbu082yd/TdTxAtT94Q3mdTdFrW2Vf4rRLqNsryblyGLQ49l8vit4vXiS33Q5vlVMl3acMHWdshtXe8+KfXmFtzKxa3h6awNjcogiFBfxwVKWWdTBdKLz0L2/98XFZ2HfRwDsH+nQNVgyuBnJijXHkMFv7vy5c2Xs1uk8ymmMiOyOe9h+6UpHMCz1092K5eTr82YS52awoDOvis2TGgj6WcYDFb8i1HylkfbyeIS7DbeZWF8gh1kpIwDmCeojLr4PljfGN5x5nhE/TUtDVvhZimbyn+8VZMqcnOvkapGcResmvOsxSr4KO5cScx+v/DLWkGFlxH9h/8MLkc095BzQsJEnUJP8qVPVTISPyTGHj/lSNGGtYPiJY8x4TZHDXyF/cUTw8FcWd/kb+UIUSm1d3Njdnd0XyGfkFbwuAzsRHv4DS3p0wZomgLkEzEe95b7zvs7PfBaYWuN7X86KDi6fGBzvlTuS3VB1Kh+ViDFlBz8bWTNP5gVHlCsRL+3bVbb5voF1Qzz9kZwHihZXcEzBrYeKlpB31OzZN1ZowNG6Y3jKhhgngMhdu6PKlAjU8uZXxP6maVBdBK1Cis/4ZK3OsNa6BF5jdAnVfRM0Enjk4UfRlYvyle+ldfNslb+h5uxemtAqPSuB9D7eetDl3on0nY1Ed0LCHpRMQHbUrFz59wrLBWQTUxdTPZGsgpul6pmDzLH9k0eoG4UrQAWqLm2L0MSY6yDGdmGqaO7P/knRZGKgrVd+9fj75Il58IqiBO+TtGV+d2VYR9cGWJttxRG2YwmUNpUjtOOOC5DwyNQfPbAz73R9vmYPfbZeXw6djL0Z27iUSZxd09b/mzj9c0voTpVKXHFmsVom6s27dGftiqQ43NtbBasdJZK4rvJShEbzyUl/UzCk/0/GlQbfgTEX2LgB71efPwqHNxNYCHv4clBLZx7xvP2mwxYitMzQtENjKP9XjE3Qdu47kEOeYeSBVGt3tNRgzugOalyHbz7rIBsxi5gk2X9PNE0MFuiHMSl/YI6qhfA22oJ2SNxiCEvOeB15KNV/IV6ZzlwCqN63J25axOPukIEKPUZsmUD17i0suh8V4cMtfduHYdHQZSefuCn0DyY/o79wSWprRXDCoI4O2J4ZAFhUJTmt5aLIu6WVJqbhG8KynFD65DJMq8+Q806FAofM7BPYcvqcj+nlfZ/whJX+1sDf0xEOcBlp7r4+rmslcxKxPeX4TlanrcUSOdpUUa8VxJT9hiANA27rtKFt2TYcyY/ox5XJShjCaxP0/aW5E5ad69B+sdQFO77Ji9UiAIPt73Z4Tsppwn8bwrvnlDLdE3oK+7RnjhGUFRBtWFge5arEgGuw+pnPiTywPTHohICxIF3yJ67/5fibPBVdQ5vFHfhtXQj+k0cAvXVmLFr411TFRRPaEt4uzZwn1Yrfza6zov3p25PdOLg4Ni/vIPZZjL7qK0t3XAQkPNjUUavvH2k2+PTxVjGDCmEYgdIUo2XyKfvZ238KRlR15TxjkkZErD6QEv2SqD86Xmcqt//yCxcyydrMdLS2nDFeA9bqJ8Q5GULGc8jglYNrUGm5TJ5LsouiixhhB/l843lvTP+ONhsXfljJhEFVmjQbzqmFgBskSqFHw+nUBiugVMYdrc/M2QexCfzkkiN6GffL69GN9FHMXTdrDlEJQbfkH4bLgUstxa68kygvq+f0bomHZqZ9k6hUGXJHKtbNgtH75qDDYjCho5srJh1CMdmuOGOJekQLOKQxWniHJrCmblMbOZ/G++39KSsVaaE0SRC2/u1rGRteNXV9HiVsUxc+vTUESbOg1wLkv3T3y+gNthBYDn3tITyoKYNAM/1C8WKSDC9MKHhP7KzXEGHUmutCZJKamj/5yxlQd9gKSoeiKslt6gS8aJelFiV3KYm7eCoz5cWBwRq31UimZM7joCIR6M1YtKxu4jweEZ/BvtIPtGhbsKQ5QjFX/D1znOHI0pXdfAO/bX+K7xveZ0GZM744Qz/cz1b05P2faAsiC40pBo5Bz8TyChbBrPTWDmqYEeYgk8H4LFuROiaXqZx4k6fwNKV0Im3s5d7FIikPyCRJ8TaghIFdCpVuooGkgdkwgdagAwIBEqKBzgSBy+VwWd0MgehqeF1CWgsN2yFQ352IVR0pMUO77NInCuINwsgR3eZpF8e5Uk1wNELecqAm0WkgRtxPn/s0I0Jc4HJ+5xklEQbRTIX3OGja5t+uOiTZ2hYuHdTjVBrIlK8U2KIDBsYFw4NHLfDu0biz3okIiPuQsCUAf7VduCMFCoS0hxvqSrwxMnZaxt9djEFakhU597zCr32VvCDB9VfKXaoHhqDLswCH9BoOa4c+Tc7GFcHNCmeTp5XVb+w8SbUDWXK8Ew8oJttwbLRE
19:32:12.751516 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.35110: Flags [.], ack 3086, win 8193, length 0
E..(M.@....M
@t
.z.a.&....J...P. ..%........
19:32:12.755866 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.35110: Flags [P.], seq 1:343, ack 3086, win 8193, length 342
E..~M.@.....
@t
.z.a.&....J...P. .#...HTTP/1.1 200
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvY6joFPu1zOF4djCRbjv7fqheWQTof3DD5ql3mosPlHgznCFMq+FoiOFV4Du+TA6wj54mm8YEvL0PrRKFcQI6hwFlCiIgb+Z7777eHoPGhydil0PitK3OmkOOwF/KmmiLXHlH8sOFK4T8qSh56luU
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 28 Mar 2023 19:32:13 GMT
Content-Length: 0
19:32:12.755897 IP node1.cluster.local.35110 > hp-dl3116.corp.vmturbo.com.wsman: Flags [.], ack 343, win 237, length 0
E..(.;@.@.:.
.z
@t.&.aJ......FP.......
19:32:12.776386 IP node1.cluster.local.35110 > hp-dl3116.corp.vmturbo.com.wsman: Flags [P.], seq 3086:3391, ack 343, win 237, length 305
E..Y.<@.@.9a
.z
@t.&.aJ......FP....M..POST /wsman HTTP/1.1
Host: hp-dl3116.corp.vmturbo.com:5985
User-Agent: Python WinRM client
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"
Content-Length: 1946
19:32:12.776462 IP node1.cluster.local.35110 > hp-dl3116.corp.vmturbo.com.wsman: Flags [P.], seq 3391:5337, ack 343, win 237, length 1946
E....=@.@.2.
.z
@t.&.aJ.. ...FP.......--Encrypted Boundary
Content-Type: application/HTTP-SPNEGO-session-encrypted
OriginalContent: type=application/soap+xml;charset=UTF-8;Length=1644
--Encrypted Boundary
Content-Type: application/octet-stream
<...................a.n.#.S......y.U.J....Y.n....~]...i..L.4.!..!s.M._.0...OF...y...\4k..l ..s.....fg...o.S..*a..{.9J.4.[....n>..|...r.6eC.....P...U6i......J.g{'...Tm[....U..@.M......}..8..X.N..B.:..@G`y...X[1../.........K.f..e..5...?.s.......S...........|.......u.o...>e.+....w..g.>..7;..?f
s.x.&-.e..{.......d..e#q*/.Q..foq.......k..O......Z.&k.Gf..g.R....'...a.I.%.......w(g.e.'.M....U...w........I..>..`.?
.I...9..W..1]..c8.X..K..x..:V...".c...5/......\_H....~........%.Co.(].f..P....,....._C.mg7..e..e..(.+h..v.C........0.|...Y.L4..Ix"......y........^b.S...<.2Gn....|.BU"....OYSK.Wn{.....~%.".bh.. I...i...S.v..}t.*.......nAM..i1.S..: C.%I.y.V.h.
.(.j.P0.r7..f[...i.`..].....x...D....\.:T.
2.....~..Db..Zj....Y..N..(Id}..)....F.Yh..V... S..e *...u....c.z.$.i.f.L.C.ml...e...M.....G.*......f..l'....L.+}1....{.......C..k..X......*......u...{,..s.~.?.R..1..<......(u7\s-2@.....Z.1.9/g....L..q.7..[...... .J..VfK......F.3.=%...x.,.h..F;.....<.l...TWd.p..]+.qg..Y...[.R..'+..v..... ...@.~....C.Q..a7....b.$.qcbc........&.}... :.;b....]..&..N.1....x...z....-.=...pd...W6.;.2O2.. 8..Q....*Q...0\.8.. w..U#..!_...fi...N5...._W...I.....%L+.Q...,...d.$F"..tYG.F%j.s;.....|2.h.\&W......dYD{/....+.x..m.b..g.B..s..~-.......4h.k.../.=..Y.%...~..~.~...g],....+...-/e,5.u...X....{>..UX.f....y...q..nH....>..bHA....ZD.Crx..]h....u.jC%.u.....w.L...W
1./V...F....s....|......b..;V...rCm[.D..r.qb".>TSa...3n..~...X....<..V..y...^z........k.h&.{5.u.<h.mb..D...R.~........AD...5.yp..=.\.p...~..F....TtI4...aW..MYj.B..F... ..'+...P...`.`.l......!t.H%..,........./....v.VI2.S*..i.'....M......k..:.....m..|+].g..c."C-.<.O...........e.F.N.....ym....].>U....l..{d..'G.....%.S..[.Jhf....B...Qp .6.....)...{N......|..D.R....pr[...--Encrypted Boundary--
19:32:12.783839 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.35110: Flags [.], ack 5337, win 8193, length 0
E..(M.@....K
@t
.z.a.&...FJ...P. ...........
19:32:13.120807 IP hp-dl3116.corp.vmturbo.com.wsman > node1.cluster.local.35110: Flags [P.], seq 343:2567, ack 5337, win 8193, length 2224
E...M.@.....
@t
.z.a.&...FJ...P. .....HTTP/1.1 200
Content-Type: multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 28 Mar 2023 19:32:13 GMT
Content-Length: 1999
--Encrypted Boundary
Content-Type: application/HTTP-SPNEGO-session-encrypted
OriginalContent: type=application/soap+xml;charset=UTF-8;Length=1697
--Encrypted Boundary
Content-Type: application/octet-stream
<...............qHzz..'....61...F...q..uOM..Pc.q...._...........wG'.c.7......1..n.l-
.p.|Idpc[... ..._E.P..O@......\..!...9.\\..L...{.......4\.T...P|q"F....7.W.NDsO..M.."'bH..`?G.....j.....L....M0k.S.....H.......8.O...C....!..;Pw........ .j.n....D.c*....XGvf...rN.M.:!2.d..<.q..\..<x.?......,.4...$1..Q.{4Q.I.y.....j.j........I.y.S..]x..f"...b?[..F...g...W.P....#..q...E..R..vo..4.W...#..]..\.3j....
V..(%%.}B..k..].......J.....1A...HK!......qXK..'..lo`..j]XY.~H....a7o.,@..[.Kq..M..$...0.u..=..R...q.=...<..P...
Y......<.&..
*..(4..y..O...[.K.{,.^...[gB.....7@...+.....#pY.....> .$G.....y.:..2.j..5J\..$?.sj.
}:8y.\....\..)c..... ..-2...`.. 33...f.^.A7...{.h...+@..3c>.........=-..o..MvU....*...E.....o..1X...*.H8K}.Q.|y.....W.1...T.O..+.<...v1...TC................L.IJe..........^..\.....'Zz......B[.S..........`..mo9...*@`.._....Ue......+...*.;.$#....\......X9~.&.....
.,.m.......pn...."..b..X.^.....;..`...J.K...m|2.|z..H.....s.x.v.5~.E....[...7...
..O..........E.g....u.(....266..g.......c,...<.4.%.b.aX.....I...r.g.*....R`.[...../:.... .6....N.G.s..Q...6&.e....y...q.....-b#...S.o.....:fY.)l......n*3..%..s..,9Z.X.i.+.!...&.....lF.;!w.....e......,.".N....
....|..5-o.&..k.D\AB..>../.q.1.D.z..1oK ... ....>.D...... .7!|M.A...+_.."l.9.G.oh.I...{.Tt....(.....b..a.%.8G.at..(1.K"i1.C?..,R.y.3.....ZiJ.#..N..`=.G.......'.cY..c..~....D3d. ...rw........A.....M...?.....tu......@</-.D...WZ.'2....&.....@.s..e..C..y.....6x...t..7....x.T.;......:t.|......................Z.el...bf...t.$..aaA.).f.d.8.Y......h..[7.@.V.Lg4......6...`.....a.D.&M../..|.)....\.f.|y....]#....E.5=..../!C.....4.....H7.N| *.|...
@%a..8...:#..`.R8..H.k....u.y..A....x1....!..8t5.....,...7..4G.r.K....M..(.pv{....+..u.S.}J.(...[..-e..,.7....p..v&....,..!.."|..@.............2.Ev...*..x.R..J_--Encrypted Boundary--
Similarly, it sent the negotiate request and got authentication token back, and it sent the encrypted message, but got back 200 with encrypted response.
So clearly the encryption mechanism on server should work, but doesn't recognize my requests.
Here is my java code to encrypt the POST request:
boolean privacy = true;
MessageProp messageProp = new MessageProp(0, privacy);
final byte[] outt = outStr.getBytes(StandardCharsets.UTF_8);
final byte[] encrypted = gssContext.getContext().wrap(outt, 0, outt.length, messageProp);
int outLen = outt.length;
int headerLen = 60;
final HttpPost post = new HttpPost("/wsman");
ByteArrayOutputStream message = new ByteArrayOutputStream( );
byte[] headerLenBytes = new byte[4];
headerLenBytes[0] = (byte)(headerLen & 0xFF);
headerLenBytes[1] = (byte)((headerLen >> 8) & 0xFF);
headerLenBytes[2] = (byte)((headerLen >> 16) & 0xFF);
headerLenBytes[3] = (byte)((headerLen >> 24) & 0xFF);
if(privacy){
message.write(headerLenBytes);
}
message.write(encrypted);
String prefix = "--Encrypted Boundary" + "\r\n"
+"\tContent-Type: application/HTTP-SPNEGO-session-encrypted" + "\r\n"
+ "\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=" + outLen + "\r\n"
+ "--Encrypted Boundary" + "\r\n"
+ "\tContent-Type: application/octet-stream"+ "\r\n";
ByteArrayOutputStream body = new ByteArrayOutputStream( );
if (privacy) {
body.write(prefix.getBytes());
}
message.writeTo(body);
if (privacy){
body.write(("--Encrypted Boundary--" + "\r\n").getBytes());
}
ByteArrayEntity reqEntity = new ByteArrayEntity(body.toByteArray());
post.setEntity(reqEntity);
post.setHeader("Accept", "*/*");
if (privacy) {
post.setHeader("Content-Type", "multipart/encrypted;protocol=\"application/HTTP- SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\"");
} else {
post.setHeader("Content-Type", "application/soap+xml;charset=UTF-8");
}
return post;
So I have two questions:
- can anyone point if there are any mistakes in my code regarding the encryption format and parameters? clearly windows server RM service doesn't like it.
- Can anyone help me to read the wmstraces log file in binary format? I assume I need some internal tool from Microsoft? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 42%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)