Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Negotiate SSPI 401 Channel Bindings #3503

Closed
georgeok opened this issue Jan 28, 2019 · 5 comments
Closed

Negotiate SSPI 401 Channel Bindings #3503

georgeok opened this issue Jan 28, 2019 · 5 comments
Labels
authentication HTTP Windows Windows-specific

Comments

@georgeok
Copy link
Contributor

Similar to #3280
Negotiate authentication fails consistently on Windows when targeting https endpoint that is WIA protected. This only happens when "Extended Protection" is set to Accept or Require in the IIS server (Accept is the default). The same endpoint works when plain for HTTP.

I did this

curl.exe -v -k --negotiate -u user:Password https://my.dc.local/adfs/ls/wia/
and got 401.

The issue is related to the SECPKG_ATTR_ENDPOINT_BINDINGS and the windows Schannel.

curl/libcurl version

curl 7.62 and master.

[curl -V output]
curl 7.62.0 (i386-pc-win32) libcurl/7.62.0 OpenSSL/1.1.1 (WinSSL) zlib/1.2.11 brotli/1.0.7 WinIDN libssh2/1.8.0 nghttp2/1.34.0
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz brotli TLS-SRP HTTP2 HTTPS-proxy MultiSSL

operating system

Windows 7,8,10 tested so far.
@jay
Copy link
Member

jay commented Jan 29, 2019

The issue is related to the SECPKG_ATTR_ENDPOINT_BINDINGS and the windows Schannel.

...

curl 7.62.0 (i386-pc-win32) libcurl/7.62.0 OpenSSL/1.1.1 (WinSSL) zlib/1.2.11 brotli/1.0.7 WinIDN

You are using curl built to support multiple SSL backends OpenSSL and WinSSL. You'll notice WinSSL is in parentheses which means it's not being used. What happens when you set the backend to schannel (which is what WinSSL is formally known as)?

set CURL_SSL_BACKEND=schannel

@bagder
Copy link
Member

bagder commented Jan 29, 2019

(We should probably change that string in the -V output to use schannel...)

@georgeok
Copy link
Contributor Author

@jay I definitely use WinSSL. I am also running the same test from Visual Studio building with WinSSL and SSPI. Recently I put a PR for the same issue on NTLM #3321. The actual problem is that WinSSL binds the outer ssl connection to the NTLM and Negotiate messages to avoid replay attacks. Because WinSSL offers the bindings and the Windows servers accept them if they are offered, our requests are getting 401.

The fix is simple and I think similar to #3321, but applying similar changes can affect the non SSPI negotiate code.

I can work on it and sumbit a new PR, but it feels a bit out of my comfort zone. I am happy to do it, but I'd appreciate some help.

@jay
Copy link
Member

jay commented Jan 30, 2019

Ok. I don't know a lot about NTLM so I can't be much help there. Hopefully someone will step up to help with review.

@georgeok
Copy link
Contributor Author

I've started a PR #3509 to fix the issue.

@lock lock bot locked as resolved and limited conversation to collaborators May 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
authentication HTTP Windows Windows-specific
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @jay @georgeok