I'm trying to make work window authentication in Linux/Debian server with Kerberos. I'm using .net core 3.1 and IdentityServer4. For now I had joined Linux to the Windows AD like docs say:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio#kestrel-1
I have managet to work kerberos from bash with -kinit command. I also made work Apache2 with kerberos.
But in .net core it's always returns in logs
[17:39:53 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler AuthenticationScheme: Negotiate was challenged.
[17:39:54 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler None
if I set in krb5.conf wrong encript type I have error like:
Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information(Request ticket server **** kvno 4 enctype aes256-cts found in keytab but cannot decrypt ticket).
at System.Net.Security.NegotiateStreamPal.GssAcceptSecurityContext(SafeGssContextHandle& context, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags)
at System.Net.Security.NegotiateStreamPal.AcceptSecurityContext(SafeFreeCredentials credentialsHandle, SafeDeleteContext& securityContext, ContextFlagsPal requestedContextFlags, Byte[] incomingBlob, ChannelBinding channelBinding, Byte[]& resultBlob, ContextFlagsPal& contextFlags)
So the token is passing GSSAPI in normal mode and trying to validate user, but there is alwayse None in anwser. Can somebody help me get what I'm doing wrong?
I got it by using [Authorize] attribute instead of HttpContext.ChallengeAsync().
Related
I am trying to get OAuth2 token from Azure. I am using HttpWebRequest.GetRequestStream for the token request. When I run my application from Visual studio or by double clicking it, it works fine. But when I use this code from my product, it is actually a service that spawns this application. So, it is running as local system account. Then it throws the following exception:
The underlying connection was closed: An unexpected error occurred on a send.
Inner exception is:
Authentication failed because the remote party has closed the transport stream
Note: my target .Net framework is 4.6.1
And i am using ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; in my code.
Any help will be appreciated.
Found the answer. The error was totally misleading; at least to me. Since proxy server address was not set for the local system account, it wasn't working before. Silly me :)
OS and version used: Ubuntu 18.04
SDK version used: Release Dec. 13, 2018
Target: ESP32.
Description of the issue:
I am trying to connect the ESP32 to my Blob storage. I am getting an HTTP error 401 (unauthorized access).
I am using the example: iothub_client_sample_upload_to_blob_mb.
I tried connecting using just the Shared Access Key in my connection string, but this did not work (no connection). After that I generated an SAS token in Azure (Storage Accounts -> -> Shared Access Signature) and plugged that in into my connection string.
My connection string looks like this:
static const char* connectionString = "HostName=<Host name>;DeviceId=<Device ID>;SharedAccessSignature=<inserted here without the "?" at the beginning>";
Q1: Why is there a "?" in front of the token? When I look at the connection string, at SharedAccessSignature=.. I don't see the "?".
I also set up the Endpoint in Azure under IoT Hub -> Upload files.
In the example, I am using the option SET_TRUSTED_CERT_IN_SAMPLES.
Q2: What does that mean? I am not so familiar with basic encryption and should probably read up on that.
Q3: Why am I getting an 401 error? What could be a possible solution?
Log:
Initializing SNTP
ESP platform sntp inited!
Time is not set yet. Connecting to WiFi and getting time over NTP. timeinfo.tm_year:70
Waiting for system time to be set... tm_year:0[times:1]
Starting the IoTHub client sample upload to blob with multiple blocks...
Info: Waiting for TLS connection
Info: Waiting for TLS connection
Info: Waiting for TLS connection
Info: Waiting for TLS connection
Error: Time:Thu Jan 17 22:06:00 2019 File:/home/julian/eclipse-workspace/chaze-esp32/components/esp-azure/azure-iot-sdk-c/iothub_client/src/iothub_client_ll_uploadtoblob.c Func:send_http_request Line:142 HTTP code was 401
Error: Time:Thu Jan 17 22:06:00 2019 File:/home/julian/eclipse-workspace/chaze-esp32/components/esp-azure/azure-iot-sdk-c/iothub_client/src/iothub_client_ll_uploadtoblob.c Func:IoTHubClient_LL_UploadToBlob_step1and2 Line:494 unable to HTTPAPIEX_ExecuteRequest
Error: Time:Thu Jan 17 22:06:00 2019 File:/home/julian/eclipse-workspace/chaze-esp32/components/esp-azure/azure-iot-sdk-c/iothub_client/src/iothub_client_ll_uploadtoblob.c Func:IoTHubClient_LL_UploadMultipleBlocksToBlob_Impl Line:768 error in IoTHubClient_LL_UploadToBlob_step1
Received unexpected result FILE_UPLOAD_ERROR
hello world failed to upload
Press any key to continue
Here is the link to the GitHub Repo.
The example can be found here.
I generated an SAS token in Azure (Storage Accounts -> -> Shared Access Signature) and plugged that in into my connection string. My connection string looks like this:
static const char* connectionString = "HostName=<Host name>;DeviceId=<DeviceID>;SharedAccessSignature=<inserted here without the "?" at the beginning>";
Q1: Why is there a "?" in front of the token? When I look at the connection string, at SharedAccessSignature=.. I don't see the "?".
After registering a device on IoTHub you will need to retrieve it's connection string to use on this example. See here an example on how to register and retrieve the connection string from a device on IoTHub.
I also set up the Endpoint in Azure under IoT Hub -> Upload files. In the example, I am using the option SET_TRUSTED_CERT_IN_SAMPLES.
Q2: What does that mean? I am not so familiar with basic encryption and should probably read up on that.
That Flag is used when compiling the SDK for your device. See the CMake File:
#Conditionally use the SDK trusted certs in the samples
if(${use_sample_trusted_cert})
add_definitions(-DSET_TRUSTED_CERT_IN_SAMPLES)
include_directories(${PROJECT_SOURCE_DIR}/certs)
set(iothub_client_sample_upload_to_blob_mb_c_files ${iothub_client_sample_upload_to_blob_mb_c_files} ${PROJECT_SOURCE_DIR}/certs/certs.c)
endif()
Q3: Why am I getting an 401 error? What could be a possible solution?
Make sure you configure file upload on Azure IoTHub correctly - https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-file-upload and use the correct connection string on the sample. Also leverage the ESP8266 sample that should have similar steps as the ESP32 configuration.
To get rid of the 401 error: Use MSFT Baltimore certificate in the code.
To get rid of the panic on the ESP: Look at this GitHub issue.
I have configured Websphere Liberty to use LDAP to authenticate user. I have enabled security trace -
com.ibm.ws.security.=all:com.ibm.ws.webcontainer.security.=all:com.ibm.oauth.=all:com.ibm.wsspi.security.oauth20.=all:com.ibm.ws.transport.http.=all:org.apache.http.client.=all
I have following feature list enabled in WebSphere Liberty v17.0.0.3,
webProfile-7.0, javaMail-1.5, ldapRegistry-3.0 and localConnector-1.0.
However, secure content is failing with error HTTP 401 (Unauthenticated).
In trace file, I can see that LDAP is able to return logged in user data. But WebSphere Liberty is failing with error -
com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
java.lang.ClassCastException: com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:203)
at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:316)
at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:104)
Please help guide if this error is due to any configuration problem.
The problem was resolved after correcting configuration of registry used. I was using LDAP registry and had mentioned LDAP server type as Tivoli. This was causing the problem in Subject class being returned from LDAP not matching expected class in Liberty. Once I changed LDAP service type to Custom, this error got resolved. Below is the tag for LDAP registry I used in server.xml
<ldapRegistry baseDN="ou=xxxxxxxx,o=xxxxxx" host="xxxxxxxxxxxxxxx" id="xxxxxxxxxxx" ldapType="Custom" port="636" realm="xx" recursiveSearch="true" sslEnabled="true" sslRef="sslrepo1">
<customFilters userFilter="(&(mail=%v)(objectclass=ePerson))" userIdMap="*:mail"/>
</ldapRegistry>
We're facing an issue where Jetty SPNEGO gives an NPE inside SpnegoLoginService.login()
The gssContext.getSrcName() call returns null.
The SPN is: HTTP/machine.dd.aa.net#EE.AA.NET
Must there be a special setup in the KRB5.INI file when dd.aa.net != EE.AA.NET ?
The only clue i found with Google is this warning message from some online source code:
if (gssContext.isEstablished()) {
if (gssContext.getSrcName() == null) {
log.warn("GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration");
return false;
}
Our client-setup is
Internet-explorer browser, setup for negotiate/spnego
login using Windows SmartCard
Our server-setup is
Java 8u45
Jetty 9
using org.eclipse.jetty.security.SpnegoLoginService
We used java kinit on the server to validate against the keytab and also against the DC. which went ok. Also the reverse DNS zones are working.
is there a possibility that the 'service request token' generated by the client browser (logged in with smartcard) doesn't supply the context initiator / client principle name ?
Thanks
The nullpointer was gone when we went from Java 1.8u45 to Java 1.8u60
Turns out the server side didn't check all tickets provided by the client, so didn't find the correct one.
Below the bug entry:
[JDK-8078439] SPNEGO auth fails if client proposes MS krb5 OID
My client wants the SharePoint web application to be authenticated using SiteMinder Claims based STS Web Service agent. When the web app started and authentication provider is selected web app will redirect to a login page and over the correct credentials it should redirect back to the site.
What is happening is over the correct credentials the SharePoint web application returns with the following error:
Any clue what might be the reason? I am happy to assist if additional information is required.
NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Exception Details:
System.IdentityModel.Tokens.SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.]
Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +181
Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +260
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +520
[SecurityTokenValidationException: ID4257: X.509 certificate 'E=user#domain.com, CN=certName, OU=WHQ, O=CSC, L=Chantilly, S=Virigina, C=US' validation failed by the token handler.]
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1358733
Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099702
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
Solution Time!
Special Thanks for #gtrig for tipping me off the real issue behind the error.
Why the Error
The error cause as a result of a Microsoft security patch (KB2661254) adding a restriction to certificate validation. This patch requires the certificate RSA key to be greater than or equal to 1024bits. The given siteminder.cer contains a 512bits RSA key. The following link would explain the issue in detail.
http://blogs.technet.com/b/rmilne/archive/2012/09/03/important-upcoming-certificate-changes.aspx
The solution in detail is here. http://support.microsoft.com/kb/2661254
But for me only adding the following regedit key did the trick.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
minRSAPubKeyBitLength : Decimal 512
To apply this registry modification open command prompt (Make sure the user has admin privileges, else start command prompt Administrator mode) and execute
certutil -setreg chain\minRSAPubKeyBitLength 512
However I would recommend reading through the entire solution from the above link in depth to find unique solution.
Important: This is not recommended approach in a client environment as this may possibly compromise the security of the server environment.
Recommended solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended)