locked
Need expert help in CredSSP communication RRS feed

  • Question


  • Reference #1


    http://msdn.microsoft.com/en-us/library/aa965582(VS.85).aspx


    SECURITY_STATUS SEC_ENTRY InitializeSecurityContext(
      __in_opt     PCredHandle phCredential,
      __in_opt     PCtxtHandle phContext,
      __in_opt     SEC_CHAR *pszTargetName,
      __in         unsigned long fContextReq,
      __reserved   unsigned long Reserved1,
      __in         unsigned long TargetDataRep,
      __inout_opt  PSecBufferDesc pInput,
      __in         unsigned long Reserved2,
      __inout_opt  PCtxtHandle phNewContext,
      __out_opt    PSecBufferDesc pOutput,
      __out        unsigned long *pfContextAttr,
      __out_opt    PTimeStamp ptsExpiry
    );


    InitializeSecurityContext (CredSSP) Function

     

    The InitializeSecurityContext (CredSSP) function initiates the client side, outbound security context from a credential handle. The function builds a security context between the client application and a remote peer. InitializeSecurityContext (CredSSP) returns a token that the client must pass to the remote peer; the peer in turn submits that token to the local security implementation through the AcceptSecurityContext (CredSSP) call. The token generated should be considered opaque by all callers.


    Reference #2:
    http://msdn.microsoft.com/en-us/library/cc226794(PROT.10).aspx

    CredSSP communication graph:


    Cc226794.6ee89a27-6671-4347-a593-4ef29cb07ba9(en-us,PROT.10).gif

    Question:

    I received a byte buffer of token data from InitializeSecurityContext(CredSSP),
    0) I sent the token data through TCP to the server, failed to receive any valid response.
    1) I sent the token data through SSL channel to the server, and failed to receive any valid response.
    2) I used "Micorsoft Spnego Helper API" to parse the data, the API showed that the token data is not in valid SPNEGO format;
    3) I used "Microsoft Spnego Helper API" to encode the data to SPNEGO format, again I was told by the API that the data is not valid to be encrypted into SPNEGO.


    I want to know:
    1) In which method/way should I send this token data to the server, should the token data be encryted before sending?
    2) In the graph, which methods should I use to accomplish step 5, 7, and 9?


    I've been working on this for 3,4 working days and it's been a headache.
    If there is someone from Microsoft PG for help we would be truly appreciated, or anyone who came upon the development of CredSSP communication.



    Many thanks.
    Tintin
    Beijing, China

    Thanks.
    Monday, August 17, 2009 7:18 AM

Answers

  • Following is how CredSSP handshake goes:

    First step, 4 messages for SSL handshake;

    Second step, 5 messages for CredSSP handshake;


    Our previous knowledge from online resources indicated that we only do the second step, however, the first step is also required. Both of their sample code can be found online. I won't post again.

    Thanks a lot for Coder24's generous and consistent help.


    Have a nice day.

    Tintin.
    Thanks.
    • Marked as answer by Tintin- Tuesday, November 17, 2009 3:13 AM
    Tuesday, November 17, 2009 3:13 AM

All replies

  • Hello Tintin:

    I will try to help you, but first I like to know in what language are you making this? C++, C# or VB?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 10:57 AM
  • Wonderful!

    We are under .Net framework, majorly C#, with several wrappers for C++ unmanaged code.


    Thanks.
    Tintin


    Thanks.
    Wednesday, August 19, 2009 11:06 AM
  • Hi Tintin:

    Thanks for fast replay.

    So in C# are you using Socket class for communication?
    Or is the communication code in unmanaged (win32) C++?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 11:08 AM

  • The current communication code is in unmanaged C++


    Our goal is to build a CredSSP communication between a client machine
    and the server machine's remote desktop service (so its SPN name is "TERMSRV/ServerMachineName")


    Our solution can be either in C# or C++ or a mixture of them.


    Thanks.
    Wednesday, August 19, 2009 11:15 AM
  • http://msdn.microsoft.com/en-us/library/ms995331.aspx
    http://msdn.microsoft.com/en-us/library/ms995330.aspx


    In "Microsoft SPNEGO Token Handler API",  there are two APIs related to InitializeSecurityContext(CredSSP):
    spnegoCreateNegTokenInit and spnegoCreateNegTokenTarg


    spnegoCreateNegTokenInit is for client side usage,
    however, our token data is considered invalid by spnegoCreateNegTokenInit.

     

     

    int spnegoCreateNegTokenInit(

     [in]   SPNEGO_MECH_OID       MechType,

     [in]   unsigned char         ucContextFlags,

     [in]   unsigned char*        pbMechToken,

     [in]   unsigned long         ulMechTokenLen,

     [in]   unsigned char*        pbMechListMIC,

     [in]   unsigned long         ulMechListMICLen,

     [out]  SPNEGO_TOKEN_HANDLE*  phSpnegoToken

       )

    pbMechToken

    Pointer to binary data containing the GSS token corresponding to the MechType parameter. This is an optional parameter and may be set to NULL.

    This token is established by calling gss_init_sec_context() (GSS-API) or InitializeSecurityContext() (SSPI).

     


    Thanks.
    Wednesday, August 19, 2009 11:38 AM
  • Hi Tintin:

    Check this: http://msdn.microsoft.com/en-us/library/system.management.automation.runspaces.authenticationmechanism(VS.85).aspx
    and this: http://msdn.microsoft.com/en-us/library/system.management.automation.runspaces(VS.85).aspx

    Also: Do you have Windows PowerShell SDK istalled?

    Also: Can you share some info like code-snippet a bit of your code (That would also help).

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 12:30 PM


  • http://msdn.microsoft.com/en-us/library/cc540483.aspx

    1)

    For InitializeSecurityContext(CredSSP), we mainly adapted the sample code from MSDN in the above link.

    In the sample code, the client and the server are on the same machine, so the sample code also handles how the server respond to the client.

    In our code, the difference is we only implemented the client side, and we expect the [terminal service] on the server side handles by itself automatically.


    2)
    We successfully received the first token, and the return value of InitializeSecurityContext indicate that we should do InitializeSecurityContext for the second round, after we send the first token to server.

    But as stated in the first thread post, we don't know what's the right way to pass the token to the server :(


    3)
    We can install Windows PowerShell SDK if that helps, any working method is welcome to us.
    We can even go along without any specific method such as initializeSecurityContext, as long as there is a way works for CredSSP.

    Our only goal is to build client side code, and let it communicate in CredSSP with TERMSRV.exe service on the server machine.


    Tintin

    Thanks.
    • Edited by Tintin- Wednesday, August 19, 2009 12:56 PM
    Wednesday, August 19, 2009 12:43 PM
  • Hi Tintin:

    Are you finished?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 1:00 PM
  • Yes, finished editing.
    Thanks.
    Wednesday, August 19, 2009 1:01 PM
  • Hi Tintin:

    Who has made the TERMSRV.exe ?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 1:09 PM
  • Hi Tintin:

    For C# communication, the "Socket" class is often used...

    But, since you want to use a more secured way, we need to
    do some research.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 1:10 PM

  • But as stated in the first thread post, we don't know what's the right way to pass the token to the server :(
                
                    ---Tintin

    Thanks.
    Hi Tintin:

    You received the first (1) token from the server, right?

    Here's what I found on Internet, during my research:

    From: http://blogs.technet.com/brad_rutkowski/
    --------------------------------------------------

    So what is required to use CredSSP, thus allowing your client-side credentials to “pass-thru” to the server-side and go off box as your creds?

    On the client-side:

    new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name AllowFreshCredentials -value 1 -type DWord -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name ConcatenateDefaults_AllowFresh -value 1 -type DWord -force
    new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -name 1 -value wsman/* -force
    winrm s winrm/config/client/auth '@{CredSSP="true"}'


    On the server-side:

    winrm s winrm/config/service/auth '@{CredSSP="true"}'

    ------------------------------------------------------------------------------------------------------

    I hope this information was helpful...

    Best regards,
    Fisnik

    Coder24.com
    • Proposed as answer by Fisnik Hasani Friday, October 9, 2009 7:55 PM
    Wednesday, August 19, 2009 1:39 PM
  • Hi Tintin:

    Have you read this: http://support.microsoft.com/default.aspx/kb/951608

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, August 19, 2009 1:42 PM
  • Hi Tintin:

    Who has made the TERMSRV.exe ?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com

    TERMSRV.exe is "Remote Desktop Service" in every Windows Operating System.
    We are using Windows Vista as  client and Windows 2008 as server.
    Thanks.
    Thursday, August 20, 2009 2:54 AM
  • Hi Tintin:

    Have you read this: http://support.microsoft.com/default.aspx/kb/951608

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com

    We've read this, and many other web pages on the first google search ranking pages...
    Thanks.
    Thursday, August 20, 2009 2:59 AM

  • But as stated in the first thread post, we don't know what's the right way to pass the token to the server :(
                
                    ---Tintin

    Thanks.
    Hi Tintin:

    You received the first (1) token from the server, right?

    Here's what I found on Internet, during my research:

    From: http://blogs.technet.com/brad_rutkowski/
    --------------------------------------------------

    So what is required to use CredSSP, thus allowing your client-side credentials to “pass-thru” to the server-side and go off box as your creds?

    On the client-side:

    new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name AllowFreshCredentials -value 1 -type DWord -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name ConcatenateDefaults_AllowFresh -value 1 -type DWord -force
    new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -force
    new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -name 1 -value wsman/* -force
    winrm s winrm/config/client/auth '@{CredSSP="true"}'


    On the server-side:

    winrm s winrm/config/service/auth '@{CredSSP="true"}'

    ------------------------------------------------------------------------------------------------------

    I hope this information was helpful...

    Best regards,
    Fisnik

    Coder24.com

    I'll check those pre-conditions that you have listed.


    However, currently I really need to know what to do with the first token data,
    Passing it without any encryption is not the right way to do.

    We need a testified examle of other people's method to pass the token data, can you find one?
    We exausted the search engine and couldn't find an answer.
     
    (Thanks a lot for your generous help.)

    Thanks.
    Thursday, August 20, 2009 3:05 AM
  • Hi Tintin:

    Well, for encryption SSL is almost always implemented between servers and-clients.
    Anyway, regarding your question about "testified examples of other people's" - I can say that
    there do not exist such samples, I am sorry.

    I only know that Microsoft provided the samples which you showed me, else there do not exist, as I said before.

    To solve this problem, we need to research a lot more.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    • Proposed as answer by Fisnik Hasani Friday, October 9, 2009 7:55 PM
    Thursday, August 20, 2009 3:55 PM

  • Hey Fisnik,

    Um, just found something that worth a try. I'll post it here if it works. :)
    Again, thanks very much for your generous help.


    Tintin

    Thanks.
    • Proposed as answer by Fisnik Hasani Friday, October 9, 2009 7:55 PM
    Friday, August 21, 2009 2:58 AM
  • Hi Tintin:

    Wonderful, I look forward to see your post...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, August 21, 2009 6:03 AM
  • Hello - Tintin1983:

    I'm wondering how the situation is on your side?
    Is this issue solved or not?

    Please tell me...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, October 2, 2009 6:53 PM
  • Hello - Tintin1983:

    I'm wondering how the situation is on your side?
    Is this issue solved or not?

    Please tell me...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Tuesday, October 13, 2009 6:09 AM
  • Hi Tintin1983:

    Thanks!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Tuesday, October 13, 2009 6:34 AM
  • Hello Tintin1983:

    Is this thread solved? How is the situation on your
    side? If you DO NOT want to share the solution,
    then please by all mean, mark something as answer,
    so we can close this thread.

    Thanks!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, October 21, 2009 6:04 PM
  • Hi Tintin1983:

    How is the situation on your side?
    Is this thread solved or NOT?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, November 13, 2009 7:48 PM

  • I have to say, none of the resources we can google from provided enough information.
    The answer lies in credssp source code.

    It's very different from what we may have inmagined by the provided web resources.
    Also, the reason msdn didn't provide "clear-enough" materials is because seldom do people need to go into such kind of stuff.

    I no longer own that piece of code. But I will read my teammate's code and provide the answer here before 11.17.2009.

    Frankly speaking I feel very guilty for not closing the thread ASAP. Really sorry. :P

    Have a nice sunny winter sunday.


    Thanks.
    Sunday, November 15, 2009 8:56 AM
  • Thanks!
    Coder24.com
    Sunday, November 15, 2009 5:05 PM
  • Following is how CredSSP handshake goes:

    First step, 4 messages for SSL handshake;

    Second step, 5 messages for CredSSP handshake;


    Our previous knowledge from online resources indicated that we only do the second step, however, the first step is also required. Both of their sample code can be found online. I won't post again.

    Thanks a lot for Coder24's generous and consistent help.


    Have a nice day.

    Tintin.
    Thanks.
    • Marked as answer by Tintin- Tuesday, November 17, 2009 3:13 AM
    Tuesday, November 17, 2009 3:13 AM