SSPI and SQL Server Windows Authentication

余生长醉 提交于 2019-12-05 02:33:16

With WinAPIOverride I found that authentication uses Bindings (see QueryContextAttributes SECPKG_ATTR_UNIQUE_BINDINGS) retrieved from SSL handshake in negotiation InitializeSecurityContext as SECBUFFER_CHANNEL_BINDINGS member.

So far I made SSPI based SSL handshake, got Bindings that looks like

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   |  ................
00 00 00 00 00 00 00 00 17 00 00 00 20 00 00 00   |  ............ ...
74 6C 73 2D 75 6E 69 71 75 65 3A 66 55 6F 05 7F   |  tls-unique:fUo.
DD 90 31 4F 87 02 52   |  ..1O..R

found that those empty NTLMSSP message seems proper (with some extra at the end) while client and server on same machine, ODBC driver sends like

A1 77 30 75 A0 03 0A 01 01 A2 5A 04 58 4E 54 4C .w0u......Z.XNTL
4D 53 53 50 00 03 00 00 00 00 00 00 00 58 00 00 MSSP.........X..
00 00 00 00 00 58 00 00 00 00 00 00 00 58 00 00 .....X.......X..
00 00 00 00 00 58 00 00 00 00 00 00 00 58 00 00 .....X.......X..
00 00 00 00 00 58 00 00 00 15 C2 88 E2 0A 00 5A .....X.........Z
29 00 00 00 0F 9E 3F 5C EE FF F1 AF 9A 44 4C 3A ).....?\.....DL:
6F C3 20 0F 8B A3 12 04 10 01 00 00 00 9C B1 60 o. ............`
36 3B 84 96 09 00 00 00 00                      6;.......  

remote last authentication data looks like (ODBC driver)

4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.........
78 00 00 00 3C 01 3C 01 90 00 00 00 0E 00 0E 00 x...<.<.........
58 00 00 00 04 00 04 00 66 00 00 00 0E 00 0E 00 X.......f.......
6A 00 00 00 10 00 10 00 CC 01 00 00 15 82 88 E2 j...............
0A 00 5A 29 00 00 00 0F E0 87 5F 85 21 5A 73 17 ..Z)......_.!Zs.
04 6C 1A F5 9C BA F7 42 33 00 52 00 2D 00 57 00 .l.....B3.R.-.W.
69 00 6E 00 37 00 6D 00 65 00 33 00 52 00 2D 00 i.n.7.m.e.3.R.-.
57 00 49 00 4E 00 37 00 00 00 00 00 00 00 00 00 W.I.N.7.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
37 F2 38 62 5B 9C 7E 07 6F 89 9F 33 B2 92 3C 5C 7.8b[.~.o..3..<\
01 01 00 00 00 00 00 00 47 39 01 AD AC 4F D1 01 ........G9...O..
0D 36 47 06 7E 70 B8 A4 00 00 00 00 02 00 18 00 .6G.~p..........
48 00 50 00 2D 00 45 00 4C 00 49 00 54 00 45 00 H.P.-.E.L.I.T.E.
42 00 4F 00 4F 00 4B 00 01 00 18 00             B.O.O.K.....   

while SSPI with Bindings looks slightly bigger (8 first bytes here is TDS packet header)

11 01 01 EE 00 00 00 00 4E 54 4C 4D 53 53 50 00   |  ........NTLMSSP.
03 00 00 00 18 00 18 00 78 00 00 00 46 01 46 01   |  ........x...F.F.
90 00 00 00 0E 00 0E 00 58 00 00 00 04 00 04 00   |  ........X.......
66 00 00 00 0E 00 0E 00 6A 00 00 00 10 00 10 00   |  f.......j.......
D6 01 00 00 15 82 88 E2 0A 00 5A 29 00 00 00 0F   |  ..........Z)....
AD A5 C9 05 8C 25 E1 A9 C5 3E 17 BD 3D 19 E3 EB   |  .....%...>..=...
33 00 52 00 2D 00 57 00 69 00 6E 00 37 00 6D 00   |  3.R.-.W.i.n.7.m.
65 00 33 00 52 00 2D 00 57 00 49 00 4E 00 37 00   |  e.3.R.-.W.I.N.7.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   |  ................
00 00 00 00 00 00 00 00 02 0B C5 A2 01 17 DB AC   |  ................
D8 26 9E 1B AF A1 77 32 01 01 00 00 00 00 00 00   |  .&....w2........
B8 28 90 0F AD 4F D1 01 41 F1 DF 7C BE 85 5D B6   |  .(...O..A..|..].
00 00 00 00 02 00 18 00 48 00 50 00 2D 00 45 00   |  ........H.P.-.E.
4C 00 49 00 54 00 45 00 42 00 4F 00 4F 00 4B 00   |  L.I.T.E.B.O.O.K.
01 00 18 00 48 00 50 00 2D 00 45 00 4C 00 49 00   |  ....H.P.-.E.L.I.
54 00 45 00 42 00 4F 00 4F 00 4B 00 04 00 18 00   |  T.E.B.O.O.K.....
48 00 50 00 2D 00 45 00 6C 00 69 00 74 00 65 00   |  H.P.-.E.l.i.t.e.
62 00 6F 00 6F 00 6B 00 03 00 18 00 48 00 50 00   |  b.o.o.k.....H.P.
2D 00 45 00 6C 00 69 00 74 00 65 00 62 00 6F 00   |  -.E.l.i.t.e.b.o.
6F 00 6B 00 07 00 08 00 B8 28 90 0F AD 4F D1 01   |  o.k......(...O..
06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00   |  ..........0.0...
00 00 00 00 01 00 00 00 00 20 00 00 DC 75 9C 98   |  ......... ...u..
70 C7 28 D7 BC C7 1E 14 48 70 0E 3B 8B A4 94 7C   |  p.(.....Hp.;...|
32 05 44 FD 85 5F D3 54 DB 6C 84 22 0A 00 10 00   |  2.D.._.T.l."....
B1 3B 92 CC 6C 5B E2 CD 0F 24 19 5F 6F 73 47 73   |  .;..l[...$._osGs
09 00 3E 00 4D 00 53 00 53 00 51 00 4C 00 53 00   |  ..>.M.S.S.Q.L.S.
76 00 63 00 2F 00 48 00 50 00 2D 00 45 00 4C 00   |  v.c./.H.P.-.E.L.
49 00 54 00 45 00 42 00 4F 00 4F 00 4B 00 3A 00   |  I.T.E.B.O.O.K.:.
4D 00 53 00 53 00 51 00 4C 00 32 00 30 00 30 00   |  M.S.S.Q.L.2.0.0.
38 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 46   |  8..............F
20 EB 45 EC C8 67 9F E3 45 45 9C 79 76 47   |   .E..g..EE.yvG

QueryContextAttributes(@FCtxHandle, SECPKG_ATTR_NEGOTIATION_INFO, @NegInfo) returns state SECPKG_NEGOTIATION_COMPLETE so everything suppose to be fine, server log shows that "Authentication successful" but there is still not enough rights to get results of queries or server errors like "Cannot find the object "all_types" because it does not exist or you do not have permissions" while simple queries like "SET LOCK TIMEOUT 100" runs without errors.

So my thoughts that Windows Authentication in the eyes of own creator doesn't looks secure enough to allow it to some third-party applications. Guest account enabled and have permissions to read/write data and it works through ODBC driver.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!