简体繁体 English

HTTP使用python-kerberos协商Windows与Unix服务器的实现

[英]HTTP Negotiate windows vs. Unix server implementation using python-kerberos

原文 2010-04-15 16:50:31 1 1 python/ kerberos

I tried to implement a simple single-sign-on in my python web server. 我试图在我的python Web服务器中实现一个简单的单点登录。 I have used the python-kerberos package which works nicely. 我使用了python-kerberos包很好用。 I have tested it from my Linux box (authenticating against active directory) and it was without problem. 我已经从我的Linux盒子中测试过它（对活动目录进行身份验证）并且没有问题。 However, when I tried to authenticate using Firefox from Windows machine (no special setup, just having the user logged into the domain + added my server into negotiate-auth.trusted-uris), it doesn't work. 但是，当我尝试使用Windows机器上的Firefox进行身份验证时（没有特殊设置，只需让用户登录到域+将我的服务器添加到negotiate-auth.trusted-uris中），它就不起作用了。 I have looked at what is sent and it doesn't even resemble the things the Linux machine sends. 我查看了发送的内容，它甚至不像Linux机器发送的东西。 This Microsoft description of the process pretty much resembles the way my interaction from Linux works, but the Windows machine generally sends a very short string, which doesn't even resemble the things microsoft documentation states, and when base64 decoded, it is something like 12 zero bytes followed by 3 or 4 non-zero bytes (GSS functions then return that it doesn't support such scheme) 微软对这个过程的描述非常类似于我与Linux的交互方式，但Windows机器通常发送一个非常短的字符串，它甚至不像微软文档所说的那样，当base64解码时，它就像12零字节后跟3或4个非零字节（GSS函数然后返回它不支持此类方案）

Either there is something wrong with the client Firefox settings, or there is some protocol which I am supposed to follow for the Negotiate protocol, but which I cannot find any reference anywhere. 客户端Firefox设置有问题，或者我应该为协商协议遵循一些协议，但我无法在任何地方找到任何参考。 Any ideas what's wrong? 有什么想法有什么不对吗？ Do you have any idea what protocol I should by trying to find, as it doesn' look like SPNEGO, at least from MS documentation. 您是否知道我应该通过尝试找到哪种协议，因为它看起来不像SPNEGO，至少从MS文档中看起来如此。

Update: now it seems to at least produce reasonable data (clean installation of firefox on something different than windows7...), however I am getting: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('', 100004)) The Negotiate data now seems to be OK, so this is some other error. 更新：现在它似乎至少产生合理的数据（在与Windows7不同的东西上干净安装firefox ...），但是我得到：（（'未指定的GSS失败。次要代码可能提供更多信息'，851968），（ ''，100004））Negotiate数据现在似乎没问题，所以这是其他一些错误。 Any idea where can I decode what 100004 means? 任何想法我在哪里可以解码100004的含义？

1 个解决方案

On Windows, you also need to make sure that network.auth.use-sspi = true , so that Firefox will use the native Windows Kerberos (SSPI) rather than look for a GSSAPI DLL. 在Windows上，您还需要确保network.auth.use-sspi = true ，以便Firefox将使用本机Windows Kerberos（SSPI）而不是查找GSSAPI DLL。

If that's not it, and you want to provide a packet capture of the Kerberos and HTTP traffic, I'm happy to look at it. 如果不是这样，并且您想提供Kerberos和HTTP流量的数据包捕获，我很高兴看到它。