Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Negotiate SSPI 401 Channel Bindings #3503
Similar to #3280
I did this
curl.exe -v -k --negotiate -u user:Password https://my.dc.local/adfs/ls/wia/
The issue is related to the SECPKG_ATTR_ENDPOINT_BINDINGS and the windows Schannel.
curl 7.62 and master.
[curl -V output]
Windows 7,8,10 tested so far.
You are using curl built to support multiple SSL backends OpenSSL and WinSSL. You'll notice WinSSL is in parentheses which means it's not being used. What happens when you set the backend to schannel (which is what WinSSL is formally known as)?
@jay I definitely use WinSSL. I am also running the same test from Visual Studio building with WinSSL and SSPI. Recently I put a PR for the same issue on NTLM #3321. The actual problem is that WinSSL binds the outer ssl connection to the NTLM and Negotiate messages to avoid replay attacks. Because WinSSL offers the bindings and the Windows servers accept them if they are offered, our requests are getting 401.
The fix is simple and I think similar to #3321, but applying similar changes can affect the non SSPI negotiate code.
I can work on it and sumbit a new PR, but it feels a bit out of my comfort zone. I am happy to do it, but I'd appreciate some help.