如何处理.NET中的协商? [英] How do I handle Negotiate in .NET?

查看:115
本文介绍了如何处理.NET中的协商?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试在小型Web服务器中实现协商(至少是Kerberos部分).我已经弄清楚了如何让客户端向我发送Kerberos协商授权标头.我已经弄清楚了如何解码该数据(ASN.1).我不知道如何将其转换为WindowsIdentity.我可以从

I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity. I can get a general idea of how I might from KerberosReceiverSecurityToken, but I can't find anything like a NegotiateReceiverSecurityToken. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.

我假设(如果我有自己的SspiWrapper)我将对SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound)做一些事情来获取SSPI上下文,并可以通过该上下文调用 QuerySecurityContextToken 以获得可用来创建WindowsIdentity的令牌

I presume (if I had my own SspiWrapper) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate and then use QuerySecurityContextToken to get the token with which I could create a WindowsIdentity.

但是KerberosReceiverSecurityToken使它看起来像一个非常复杂的过程.而且不知道如何执行此操作或不知道将授权标头有效负载的哪一部分放入其中,我可能会在一个月的时间内无所适从.

But KerberosReceiverSecurityToken makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.

(在您问或答之前,我对使用内置的协商逻辑完全不感兴趣.如果可以找到它,我将从中学习,但是我一直在努力使它对FAR起作用很长一段时间. .并且我已经完成了.)

(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)

推荐答案

  1. 解析传入的响应令牌
  2. 致电Secur32.AcquireCredentialsHandle获取句柄
  3. 调用Secur32.AcceptSecurityContext传递句柄和令牌
  4. 调用Secur32.QuerySecurityContextToken传递安全上下文
  5. 使用步骤4的输出构造new WindowsIdentity(hToken)
  1. Parse the incoming response token
  2. Call Secur32.AcquireCredentialsHandle to get a handle
  3. Call Secur32.AcceptSecurityContext passing the handle and the token
  4. Call Secur32.QuerySecurityContextToken passing the security context
  5. Construct a new WindowsIdentity(hToken) using the output form step 4

如果您对这些步骤中的任何一个有疑问,我可以详细说明和/或提供一些示例代码.

If you have any questions about any of these steps, I can elaborate and/or provide some sample code.

这篇关于如何处理.NET中的协商?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆