How do I handle Negotiate in .NET?

放肆的年华 提交于 2019-12-01 05:35:18

问题


I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity. I can get a general idea of how I might from KerberosReceiverSecurityToken, but I can't find anything like a NegotiateReceiverSecurityToken. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.

I presume (if I had my own SspiWrapper) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate and then use QuerySecurityContextToken to get the token with which I could create a WindowsIdentity.

But KerberosReceiverSecurityToken makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.

(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)


回答1:


  1. Parse the incoming response token
  2. Call Secur32.AcquireCredentialsHandle to get a handle
  3. Call Secur32.AcceptSecurityContext passing the handle and the token
  4. Call Secur32.QuerySecurityContextToken passing the security context
  5. Construct a new WindowsIdentity(hToken) using the output form step 4

If you have any questions about any of these steps, I can elaborate and/or provide some sample code.



来源:https://stackoverflow.com/questions/40944092/how-do-i-handle-negotiate-in-net

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!