I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?
1 Answers
1
votes
You can use gss_init_sec_context for the purpose.
Some background:-
SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)
for this pupose do the following:-
Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.
Now use krb5_cc_store_cred to store it into that cache
Use gss_krb5_import_cred to get a GSSAPI token
Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.
Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-
static gss_OID_desc _gss_mech_spnego = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
and then pass this as an argument to gss_init_sec_context.
If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.
