Skip Menu |
 

Subject: Negotiating NTLM with SPNEGO against Windows Server 2003 doesn't work
Download (untitled) / with headers
text/plain 1.5KiB
https://bugzilla.redhat.com/show_bug.cgi?id=1122324 refers to a
situation where:

* An NTLM mech is loaded.
* The user has initial tickets.
* A service ticket cannot be obtained for the server (say, because its
IP address was used).
* The application server implements an old variant of SPNEGO without
mechlistMIC support.

In this scenario, we never try regular krb5 because we can't get a
service ticket. But we do try IAKERB, which only requires an initial
ticket. We would like the negotiation to fall back to NTLM, but it
can't, because the server doesn't respond with REQUEST_MIC and
init_ctx_reselect requires that it does.

We have several options for making this scenario work:

* Provide a way to disable IAKERB via configuration. (A client
application can already do this with gss_set_neg_mechs, but in this case
the client is a web browser and is probably not interested in mucking
around with mech OIDs.)

* Provide a way to load a mechanism such that it is ordered between krb5
and IAKERB.

* Relax the requirement for a MIC exchange when a non-preferred
mechanism is selected. This is David Woodhouse's suggestion, but it
essentially removes RFC 4178's downgrade protection.

* Relax the requirement for a MIC exchange when a non-preferred
mechanism is selected, unless the negotiated mech context is "new
enough" to indicate that the peer ought to support RFC 4178. Heimdal
appears to do this via the GSS_C_PEER_HAS_UPDATED_SPNEGO
inquire_sec_context_by_oid query.

See also:

http://mailman.mit.edu/pipermail/krbdev/2014-July/012085.html
From: ghudson@mit.edu
Subject: git commit

Allow SPNEGO fallback to NTLM without mechlistMIC

For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.

[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]

https://github.com/krb5/krb5/commit/7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3
Branch: master
src/lib/gssapi/spnego/spnego_mech.c | 23 ++++++++++++++++-------
1 files changed, 16 insertions(+), 7 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Allow SPNEGO fallback to NTLM without mechlistMIC

For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.

[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]

(cherry picked from commit 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3)

https://github.com/krb5/krb5/commit/e1c6b2cc02b0b28cf3037e20f2ef418db22d8cd3
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e1c6b2cc02b0b28cf3037e20f2ef418db22d8cd3
Branch: krb5-1.13
src/lib/gssapi/spnego/spnego_mech.c | 23 ++++++++++++++++-------
1 files changed, 16 insertions(+), 7 deletions(-)