I've looked over the SSPI documentation, however can find relatively little in the way of sample or working code that implements the library interfaces required in C++.
My goal: There have been numerous situations where NTLM authentication has failed. I would like to be able to isolate the SSPI negotiation process as a stand-alone script to verify how the browser should behave.
As far as I can understand, I should be able to generate a simple Negotiation process with Windows Auth endpoint HTTP server X which succeeds regardless of whether Kerberos or NTLM functions.
Is this a question of trial and error with very old MSFT documentation, or is there some simple port of the SSPI API that I'm missing? I'd prefer to avoid C++ if possible.
Edit: So far, I've found this: https://github.com/antiduh/nsspi
. Might be my best bet unless there's something else out there. Some of the Moz devs refer to sample code that no longer exists: https://bugzilla.mozilla.org/show_bug.cgi?id=159015
Related
I'm troubleshooting legacy REST application used by my company (the person responsible for it's implementation is no longer with the firm, and sourcecode is being looked for) and encountered a weird issue, namely providing no auth-data results in 401 (as it should), sending username+password or token results in 403, yet opening url in chrome on my laptop (where I'm logged in to central system) gets the response I expected (file gets downloaded).
Note that all services are supposed to be linked with central AUTHserver for convinience, so my current hypothesis is that different access rights are given depending on auth method used. Is that possible? Is it proper?
I'm not sure how any of this is relevant but:
providing no auth method returns response indicating auth-method as 'negotiate'
providing one of 'standard' auth methods returns 403
using a library that supposedly implements 'negotiate' method to Python's requests (requests-negotiate) returns errors
using PowerShell $client = System.Net.WebClient; $client.Credentials = Get-Credential; client.DownloadFile(url, path) works as intended (file get's downloaded)
I want to be able to download these files from remote server (running linux, so no PowerShell) and not having to download them to my local machine and upload them to my remote workspace.
Any help/suggestions are greatly appreciated.
Apparently the service uses Windows "integrated authentication", ie. NTLM or Kerberos.
It's not straightforward to get that working on Linux, but not impossible either. You will have to join the client to the domain and get a Kerberos ticket to authenticate, which is somewhat off-topic here. Look at SPNEGO on Linux, and this question for example has some hints.
I've been chasing this problem around for a while now and I can't get to the bottom of it. I've read the other solutions on here (https://identityserver4.readthedocs.io and https://github.com/IdentityServer/IdentityServer4.Quickstart.UI) and it's still not working, so I've tried to reduce this down to the absolute basics. This is not the actual problem I am facing, but produces the very same outcome. i.e. I can't get Windows Authentication to work.
I clone https://github.com/IdentityServer/IdentityServer4.Samples
I amend Quickstarts/7_JavaScriptClient/src/QuickstartIdentityServer/Quickstart/Account/AccountController.cs so that WindowsAuthenticationEnabled is true
I then goto http://localhost:5000/account/login and attempt to use the Windows external provider and I get 401.
The only difference with this simple sample here, and what I see on my actual system is that I'm getting challenged for credentials on my real site.
Debugging the code I never see if(HttpContext.User is WindowsPrincipal) succeeding, because it's always a ClaimsPrincipal.
Can someone explain to me what I'm doing wrong?
Do you have windows authentication enabled on your IIS site? This needs to be enabled for your WindowsPrincipal to be assigned. Note that windows authentication only works when running behind IIS or IIS Express.
I'm trying to connect to IBM FileNet from my ASP.Net application using Kerberos. My AppPool is running under LocalSystem account. There is a "Trust computer for delegation" permission at AD. There is impersonation enabled at IIS for application. But I'm still getting
SecurityException: WSE594: InitializeSecurityContext call failed with
the following error message: A specified logon session does not exist.
It may already have been terminated.
What am I missing?
I don't have enough points to comment, so I have to post an answer instead.
You are not really giving enough information here.
Your error is a WSE error, and may not have anything to do with FileNet.
It may help to answer these questions:
Have you already set up FileNet for Kerberos SSO and tested to ensure it works?
What version of FileNet are you running? (If you still have access to FEM, you can use it to test Kerberos.
Why are you using WSE? MS cut support (a long time ago) and has replaced it with WCF. I only ask as you might find it easier to implement WCF.
You might want to give Implementing Kerberos a read.
I am not a developer so please keep that in mind when reading the following message:
I need to be able to use Windows PowerShell to connect to a JMX RMI agent on a host, is this even possible ?
The example string from the java client I have been given is as below:
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:7979/jmxrmi");
The reason for this is that I am doing other work in my PowerShell script and would like to keep it all in one place.
Thanks !
This is an unusual mix of two technologies, but it is possible.
On the off-chance that you are attempting to connect to a JBoss server, the quickest way may be for you to call twiddle, a command tool that will dispatch JMX requests to the target JBoss server and return the results to standard out.
Another way is to implement the Jolokia agent on the target servers. This will allow you to issue JMX requests using REST. Responses will also be returned in REST format which you can process in PowerShell using one of these solutions.
Thirdly, you can also deploy the JMX-WS service on your target servers which will allow you to communicate with the JMX server using web-services. This document provides some VBScript examples of this.
None of the above actually uses the JMXServiceURL syntax you outlined, and I cannot think of a way you could actually cleanly integrate this RMI based protocol into PowerShell, but hopefully one of the above will work for you.
========== UPDATE ==========
There may be a way to use the RMI implementation. Take a look at IKVM. It is a Java Byte Code to .NET compiler. I have successfully compiled JMX/RMI java code into a .Net assembly and used it from C#. I think PowerShell will do the same thing.
I'm working on a project that requires me to download files from FTP using Perl. I just found out that I've got the option to use FTP-SSL. It seems that this is just SSL encrypted FTP (similar to HTTP vs. HTTPS) and I should just have to send the "AUTH TLS" or "AUTH SSL" commands to the FTP server.
The question: is there a way to do this with the standard Net::FTP? I've checked the docs and the only thing I've found about it is use the "features" function to find out if the server supports it.
I found the Net::FTPSSL module on CPAN, but the author says sometimes the server does not receive the data that was sent. That doesn't sound like something I want to put into production.
Short answer: no.
From looking at the source of Net::FTP I'd say it's not possible to use SSL with it. I'd rather test if Net::FTPSSL works with the FTP server you're going to use your program with. If your program needs to be able to work with any FTP server, you might want to try and fix the module for those servers it doesn't work with and contribute your code to the original module.