如何在 .NET 中处理 Negotiate?

问题描述

我正在尝试在小型 Web 服务器中实现 Negotiate(至少是 Kerberos 部分).我已经弄清楚如何让客户端向我发送 Kerberos 协商授权标头.我已经想出了如何解码该数据 (ASN.1).我不知道如何将其转换为 WindowsIdentity.我可以从 KerberosReceiverSecurityToken，但我找不到像 NegotiateReceiverSecurityToken 这样的东西.我一直在挖掘大量 DLL，但终其一生都无法弄清楚 IIS/.NET 在哪里处理 Negotiate 标头.

I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity. I can get a general idea of how I might from KerberosReceiverSecurityToken, but I can't find anything like a NegotiateReceiverSecurityToken. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.

我假设(如果我有自己的 SspiWrapper)我会用 SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) 做一些事情来获取 SSPI 上下文我可以用它调用 AcceptSecurityContext/Negotiate 然后使用 QuerySecurityContextToken 获取令牌，我可以使用该令牌创建WindowsIdentity.

I presume (if I had my own SspiWrapper) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound) to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate and then use QuerySecurityContextToken to get the token with which I could create a WindowsIdentity.

但是 KerberosReceiverSecurityToken 使这看起来像是一个极其复杂的过程.如果不知道如何执行此操作或将 Authorization 标头有效负载的哪一部分放入其中，我可能会在一个月内一无所获.

But KerberosReceiverSecurityToken makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.

(在你提问或回答之前，我对使用内置的谈判逻辑绝对没有兴趣.如果我能找到它，我会从中学习，但我一直在努力让它在 FAR 工作很长时间. 我已经完成了.)

(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)

推荐答案

1. 解析传入的响应令牌
2. 调用 Secur32.AcquireCredentialsHandle 获取句柄
3. 调用 Secur32.AcceptSecurityContext 传递句柄和令牌
4. 调用 Secur32.QuerySecurityContextToken 传递安全上下文
5. 使用第 4 步的输出形式构造一个 new WindowsIdentity(hToken)

1. Parse the incoming response token
2. Call Secur32.AcquireCredentialsHandle to get a handle
3. Call Secur32.AcceptSecurityContext passing the handle and the token
4. Call Secur32.QuerySecurityContextToken passing the security context
5. Construct a new WindowsIdentity(hToken) using the output form step 4

如果您对这些步骤有任何疑问，我可以详细说明和/或提供一些示例代码.

If you have any questions about any of these steps, I can elaborate and/or provide some sample code.

这篇关于如何在 .NET 中处理 Negotiate?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！