[Win][SSPI] proper authentication using SSPI ?

Mon, 26 Jun 2017 06:40:34 -0700 

Hi all.

Long time curl and libcurl user and suffering as long to enter proxy creds to 
the command line.

In the end this very thing stops us from using libcurl with Windows SSPI in a 
Windows product, so we suffer even more trying to use WinInet and WinHttp.

Recently I spent some time and finally figured out what's wrong with all of 
this. It turns out the change to be made is almost trivially simple: one must 
supply an SPN to the call of InitializeSecurityContext() instead of an empty 
string, e.g. 'TEXT("")' in ntlm_sspi.c:

  status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
                                               (TCHAR *) TEXT(""),
                                               0, 0, SECURITY_NETWORK_DREP,
                                               NULL, 0,
                                               ntlm->context, &type_1_desc,
                                               &attrs, &expiry);

as one does in SChannel implementation in 'host_name' schannel.c:

    sspi_status = s_pSecFn->InitializeSecurityContext(
      &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
      host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
      &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);


In the case of proxy Chromium does it like this:

HTTP/proxy.example.com

I would REALLY appreciate it if anyone does fix it for me.

Otherwise it will take me some time to dive in the implementation techniques 
and coding style to do this, but in the end I will do it for sure.

Thanks in advance.

paul


P.S. Some more details on providing SPN to the call of 
InitializeSecurityContext().
If your logon creds are ok to authenticate on the server, then empty string 
works.
If the server does not accept you logon creds, but there is a record for the 
server in Windows Credential Manager for it, the authentication will fail 
since, i guess, SSPI tries to use only your logon creds.
However if you supply the host name to the InitializeSecurityContext() call it 
works either way: if there is a record for the host in Credential Manager, SSPI 
uses it; if there isn't, SSPI uses your logon creds.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to