使用 python-kerberos 进行 HTTP 协商 Windows 与 Unix 服务器实现

发布于 2024-08-29 05:08:11 字数 777 浏览 5 评论 0原文

我尝试在我的 python Web 服务器中实现简单的单点登录。我使用了 python-kerberos 包,效果很好。我已经在我的 Linux 机器上对其进行了测试(针对活动目录进行身份验证),并且没有问题。 但是,当我尝试从 Windows 计算机使用 Firefox 进行身份验证时(无需特殊设置,只需让用户登录到域 + 将我的服务器添加到 negotiate-auth.trusted-uris 中),它不起作用。我查看了发送的内容,它甚至与 Linux 机器发送的内容完全不同。 Microsoft 对该过程的描述与我的交互方式非常相似Linux 可以工作,但 Windows 机器通常会发送一个非常短的字符串,这甚至与微软文档所述的内容不同,并且当 Base64 解码时,它类似于 12 个零字节,后跟 3 或 4 个非零字节(GSS 函数)然后返回它不支持这种方案)

要么客户端 Firefox 设置有问题,要么有一些我应该遵循的协商协议协议,但我在任何地方都找不到任何参考。任何想法有什么问题吗?你知道我应该尝试找到什么协议吗,因为它看起来不像 SPNEGO,至少从 MS 文档来看是这样。

更新:现在它似乎至少产生了合理的数据(在与 windows7 不同的东西上干净安装 firefox...),但是我得到: (('未指定的 GSS 故障。次要代码可能提供更多信息', 851968), ('', 100004)) 协商数据现在似乎正常,因此这是其他错误。知道在哪里可以解码 100004 的含义吗?

I tried to implement a simple single-sign-on in my python web server. I have used the python-kerberos package which works nicely. I have tested it from my Linux box (authenticating against active directory) and it was without problem.
However, when I tried to authenticate using Firefox from Windows machine (no special setup, just having the user logged into the domain + added my server into negotiate-auth.trusted-uris), it doesn't work. I have looked at what is sent and it doesn't even resemble the things the Linux machine sends. This Microsoft description of the process pretty much resembles the way my interaction from Linux works, but the Windows machine generally sends a very short string, which doesn't even resemble the things microsoft documentation states, and when base64 decoded, it is something like 12 zero bytes followed by 3 or 4 non-zero bytes (GSS functions then return that it doesn't support such scheme)

Either there is something wrong with the client Firefox settings, or there is some protocol which I am supposed to follow for the Negotiate protocol, but which I cannot find any reference anywhere. Any ideas what's wrong? Do you have any idea what protocol I should by trying to find, as it doesn' look like SPNEGO, at least from MS documentation.

Update: now it seems to at least produce reasonable data (clean installation of firefox on something different than windows7...), however I am getting:
(('Unspecified GSS failure. Minor code may provide more information', 851968), ('', 100004))
The Negotiate data now seems to be OK, so this is some other error. Any idea where can I decode what 100004 means?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

心清如水 2024-09-05 05:08:11

在 Windows 上,您还需要确保 network.auth.use-sspi = true,以便 Firefox 将使用本机 Windows Kerberos (SSPI),而不是查找 GSSAPI DLL。

如果不是这样,并且您想要提供 Kerberos 和 HTTP 流量的数据包捕获,我很乐意查看它。

On Windows, you also need to make sure that network.auth.use-sspi = true, so that Firefox will use the native Windows Kerberos (SSPI) rather than look for a GSSAPI DLL.

If that's not it, and you want to provide a packet capture of the Kerberos and HTTP traffic, I'm happy to look at it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文