Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SASL / GSSAPI(Kerberos) Authenticate ActiveDirectory using a Authorization Negotiate token #1123

Open
Craftonix opened this issue Jan 29, 2024 · 0 comments
Open

SASL / GSSAPI(Kerberos) Authenticate ActiveDirectory using a Authorization Negotiate token #1123

Craftonix opened this issue Jan 29, 2024 · 0 comments

Comments

@Craftonix
Copy link

Craftonix commented Jan 29, 2024
edited
Loading

Hello,
I have the following code that work when running from a user , but when i run the code as a windows service (user not known), i try to pass a Authorization Negotiate token, got from a browser that run in user space, but fail with this error :
'8009030B: LdapErr: DSID-0C0905E4, comment: AcceptSecurityContext error, data 0, v3839\x00'

I tried to understand the token, but found not so much info, i understood that the first part is some kind of kerberos part (68 bytes), and the second part is a NTLMSSP token (clear text)

I don't really understand how the negotiate token works, is there a way to use this token to authenticate with a activedirectory ?

from ldap3 import Server, Connection, Tls, SASL, GSSAPI,
import ssl
import os
import base64

b64token = 'YH8GBis (hidden for security)'
token = base64.b64decode(b64token)
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('myadserver.local', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI, sasl_credentials=('myadserver.local',token,), raise_exceptions=False)
# work as current user:
#c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI, raise_exceptions=False)

c.bind()
print('user authenticated :{}'.format( c.extend.standard.who_am_i()))
print(c.result)
c.unbind()

Little Tornado app to get the token from a browser :

import tornado.ioloop
import tornado.web

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write("Hello, world")

    def prepare(self):
        print(self.request.headers)
        auth_header = self.request.headers.get('Authorization')
        if auth_header is None or not auth_header.startswith('Negotiate '):
            self.set_status(401)
            self.set_header('WWW-Authenticate', 'Negotiate')
            self.finish()
            return

        try:
            token = auth_header.split(' ', 1)[1]
            print(token)
        except:
            self.set_status(401)
            self.finish()

def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
    ])

if __name__ == "__main__":
    app = make_app()
    app.listen(8080)
    tornado.ioloop.IOLoop.current().start()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Craftonix