Try such http/*
format, for Kerbros authentication.
i want to use SSPI to implement Kerbros authentication, but it always downgrade to NTLM
i use the Negotiate package to do SSPI authentication, and try to set the different target name. my domain name is "test", domain user is "judy", and i also register the spn "host\judy" for "judy" using setspn, so i try the target name as "judy", "test\judy", "administrator", "host\judy" "judy@test .com", but all the authentication would be downgrade to NTLM.
Do i miss something?
Windows API - Win32
C++
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-04T05:29:03.203+00:00 Have you set SPN correctly? or Try the command: Netdom computername <COMPUTER> /add:<ALIAS> which need to run as administrator or provide permissions for the Network Controller machines to automatically configures the SPN.
Also There is a guide for Configuring a Service Principal Name as IP Address.
Finally, I found that with The SPN is the correct domain account, virtual account, MSA, or built-in account, Local connections use NTLM, remote connections use Kerberos. -
Judy Jing Zhang • 1 Reputation point
2021-08-04T05:53:15.133+00:00 thanks for your reply, i just write two EXEs and started by domain user "test\judy", so i don't use IIS, and i use setspn to set the spn name "HOST\Judy" for domain user "test\judt". so for this case, which are the next steps i need to try.
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-04T06:24:00.623+00:00 Do you use the Sample SSPI Code? There is some setting for Kerberos in InitializeSecurityContext and the linked sample uses
ISC_REQ_CONFIDENTIALITY
without Kerberos . -
Judy Jing Zhang • 1 Reputation point
2021-08-04T06:30:33.083+00:00 yes, i use this sample code, set the spn name for initializeSecurityContext parameter, but always to downgrade NTLM.
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-04T06:44:52.12+00:00 Perhaps Need to specify Kerberos security package in the InitializeSecurityContext function. Have you changed the
ServerName
andTargetName
(=SPN) in the sample. -
Judy Jing Zhang • 1 Reputation point
2021-08-04T06:58:01.513+00:00 could you see my description? i said i used setspn to register new spn for domain user, and set the target name to this new spn name. i try the target name as "judy", "test\judy", "administrator", "host\judy" "judy@test .com", but all the authentication would be downgrade to NTLM.
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-05T02:28:07.167+00:00 Has
host\judy
been listed in the judy account’s SPNs? I suppose the SPN cannot work so that the calling application did not provide sufficient information to use Kerberos according to Microsoft Negotiate.
And Try to specifyKerberos
instead ofNegotiate
inAcquireCredentialsHandle
function. -
Judy Jing Zhang • 1 Reputation point
2021-08-05T05:53:18.463+00:00 yes, when i run setspn -L judy, it can list host\judy as SPNs. And if i specified the Kerberos rather than "Negotiate", it will return error SEC_E_INVALID_TOKEN when i call InitializeSecurityContext function
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-05T06:02:47.28+00:00 AcquireCredentialsHandle
has apszPackage
parameter specifying the name of the security package. NotInitializeSecurityContext
.
And Do the client.exe and the server.exe run on different computers? -
Judy Jing Zhang • 1 Reputation point
2021-08-05T06:14:10.207+00:00 yes, i know. i can set the package name to "Kerberos " in AcquireCredentialsHandle function and it can return success. then i need to call InitializeSecurityContext with the CredHandle which returned by AcquireCredentialsHandle , right? but i always failed.
they are run on the different computer, but in the same domain.
-
Judy Jing Zhang • 1 Reputation point
2021-08-05T06:16:28.597+00:00 could you provide some sample code just like the sample code in MSDN for Kerberos? And do i need to change some configuration in AD or server? just like some policy to enable Kerberos?
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-05T06:36:47.803+00:00 According to the Feature Request, I realized changing
Kerberos
on the client isn‘t enough. It’s also needed to changingKerberos
on the server. The error codeSEC_E_INVALID_TOKEN
indicates that.
And Perhaps you also need to change the SPN‘s format according to the request following comments?
My computer doesn't work on SPN. -
Judy Jing Zhang • 1 Reputation point
2021-08-05T06:49:05.45+00:00 yes, i set the Kerberos both in Server and Client as AcquireCredentialsHandle parameter. i am not very clear about your comments "And Perhaps you also need to change the SPN‘s format according to the request following comments?" what's the correct format?
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-05T07:44:42.45+00:00
Sign in to comment
1 answer
Sort by: Most helpful
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-08-20T07:41:33.977+00:00 -
Judy Jing Zhang • 1 Reputation point
2021-08-20T08:32:06.103+00:00 i try to use http/server as the TargetName, but still fail into NTLM auth
-
Judy Jing Zhang • 1 Reputation point
2021-08-20T08:38:49.407+00:00 and by the way, in domain case, when i disconnect AD controller, the connection authentication would be failed, is it the right behavior? if i use sspi in domain case, sever and client transmit message only when the AD contoller is connected?
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-09-01T01:42:04.007+00:00 I have escalated the question. Please wait for more details.
-
Xiaopo Yang - MSFT • 12,726 Reputation points • Microsoft Vendor
2021-09-02T05:53:23.737+00:00 You can also query the question's owner which has implemented Kerberos using Windows SSPI successfully.
Sign in to comment -