Search code examples
kerberosspnegoproxy-authenticationnegotiate

How to create SPNEGO token to be sent in HTTP header from Kerberos TKT?


I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?


Solution

  • You can use gss_init_sec_context for the purpose.

    Some background:-

    SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)

    for this pupose do the following:-

    1. Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.

    2. Now use krb5_cc_store_cred to store it into that cache

    3. Use gss_krb5_import_cred to get a GSSAPI token

    Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.

    Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-

     static gss_OID_desc _gss_mech_spnego = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; 
    

    and then pass this as an argument to gss_init_sec_context.

    If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.