问题
I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity. I can get a general idea of how I might from KerberosReceiverSecurityToken, but I can't find anything like a NegotiateReceiverSecurityToken. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.
I presume (if I had my own SspiWrapper) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate and then use QuerySecurityContextToken to get the token with which I could create a WindowsIdentity.
But KerberosReceiverSecurityToken makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.
(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)
回答1:
- Parse the incoming response token
- Call
Secur32.AcquireCredentialsHandleto get a handle - Call
Secur32.AcceptSecurityContextpassing the handle and the token - Call
Secur32.QuerySecurityContextTokenpassing the security context - Construct a
new WindowsIdentity(hToken)using the output form step 4
If you have any questions about any of these steps, I can elaborate and/or provide some sample code.
来源:https://stackoverflow.com/questions/40944092/how-do-i-handle-negotiate-in-net