用于NTLM身份验证的GSSAPI [英] GSSAPI for NTLM authentication

问题描述

是否可以将GSSAPI用于NTLM v1/v2身份验证?我正在尝试构建一个Web服务器，就像squid/apache一样，但是我想使用NTLM/协商协议对可能使用IE/FireFox的客户端进行身份验证.我尝试使用heimdal库，但根本无法使gss_accept_sec_context工作.它仅因请求了不受支持的机制"而失败.我可以确认在尝试gss_accept_sec_context之前调用gss_acquire_cred时，服务主体名称，spenogo的OID等是否正确发生.是的，当然可以，我通过base64解码授权标头提取了从客户端收到的令牌.我正在使用C ++，并在debian上进行了实验. 我敢肯定，这里的奇妙骇客之一知道的更多，并且希望会分享一些重要的线索.

Is it possible to use GSSAPI for NTLM v1/v2 authentication? I am trying to build a web-server, quite like squid / apache, but I would like to authenticate clients that could be using IE / FireFox, using NTLM / Negotiate protocols. I tried using heimdal libraries but simply can't get gss_accept_sec_context to work. It simply fails with "An unsupported mechanism was requested". I can confirm that the service principal name, OIDs for spnego etc. did happen correctly when the gss_acquire_cred was called before the gss_accept_sec_context was attempted. Yes of course, I extracted the token received from the client by base64 decoding the authorization headers. I am using C++, and experimenting this on debian. I am sure one of the fantastic hacks around here knows more, and hope will share some important clues.

预先感谢.

推荐答案

Heimdal GSSAPI库支持SPNEGO，NTLMv1/v2和KRB5.它们还具有原始的NTLM库，您可以使用该库来自己实现该协议.

The Heimdal GSSAPI library supports SPNEGO, NTLMv1/v2 and KRB5. They also have the raw NTLM library that you could use to implement the protocol yourself.

https://www.h5l.org/manual/HEAD/gssapi/

这篇关于用于NTLM身份验证的GSSAPI的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！