none
WSman/WinRM message encryption from Java RRS feed

  • Question

  • Hi,

    Just like Dan on the previous thread about WSman/WinRM encryption I am trying to implement Kerberos message encryption. Just like Dan I have developed a WinRM client, but unlike Dan this one (called Overthere) was not written in Ruby but in Java.

    The previous thread and Dan's code have given me some help on how to proceed but now I'm stuck getting HTTP error code 400 all the time. My Wireshark trace looks like this:

    POST /wsman HTTP/1.1
    Content-Length: 0
    Content-Type: application/soap+xml; charset=UTF-8
    Host: WIN-S2008R2-AD:5985
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
    Authorization: Kerberos YIIFmQYJKoZIhvcSAQICAQBuggWIMIIFhKADAgEFoQMCAQ6iBwMFACAAAACjggSkYYIEoDCCBJygAwIBBaERGw9YRUJJQUxBQlMuTE9DQUyiIjAgoAMCAQChGTAXGwVXU01BThsOd2luLXMyMDA4cjItYWSjggRcMIIEWKADAgESoQMCAQuiggRKBIIERo0CRGVXSoPp88TBSjOdaWcheMHTA+t8+qJwXq273c7bcBkQPoCr9DKlKyu8pXBn1M0DOmMJabewEvND4erVtSzm+RYC/bS+5SGpqet3UOwcrdxkWE0El6npUMACMk67Yf2mN+oSNSyO6qfN9feLtVTS0/2IF2Mt1BKDQz3C4ZkbS6MGSlkJQLgZNBzqWLhIKKJ39RYhPRpgI2CSW70eWFTQCy/q2L8Ag59N4+4w26NZNiX+V2ud/rpdw4gMlC+6t56PfhEXgZvD91sgFDSR2kzmB69NNZnmnFhUJYmDOj2s/+wYoHPhxQ+0rxzNmGcFmm/kQwObOhk5m9wGXziDqBPEHNdJxig5SIKlYqSJzrown1LbxcXIxXmGlZQCS8m71xGpmrVEBSBpIiXe9g3SDx7koTSSKIDXxFfg/tWouLMyrYjjd4LPQlrzEyJtmjP01TLmv7UpTLuqeeo/T8SCyAqZI+jf2ITL77mrxOmxMckldnDboanLunzQUWZUnLhXzyfqL20t4HR1TIEwI9n+ZLsfVcnrPxApBdj1vV357naen6B24AQZe9yZRl40e+d2ly1fxwzoe2IAY25i63t15z21GaEkUTD26yqIwq0YRDEbSo60//EpU/KfoP0Ja8rmj9oJyxS9sM/9klgl4JFbTvK8iD/QDC+SLXNk4IqPTkekOnKoNz7XOvE9wGc5zbpg+FqJCwv7voCuvTDsQFzsgjsuClib5qV5zEkaQoF4livk6TSHTFoc5xv4OL6G9HU3ybIg3xHJkFyKJNUEWpQBNkaE64cNM8cUxofQvqXMLYZVVdTCbITR7NUfwjwxSGmIxQiladAZi4GXArF/hSSLqZ9Lrrbsw57Io9lxHZN4QXUPTATa3ZrvZ8sS+Wh8Yc/t2yZl7LxB1jqotmfH4H8Rh/R2W1NlQxNf4jwPoB2H8nkMdjBkHq6rWCPbWkTShjsDqbSTJW0N5yrmkcazzWA6H4BY6PL979DOkZ9C0veOy3A0F/PHw8GeGveLKsG/uouuehFi04BFxPE8id5tMiEUXen65rIidHm1N/DGiY1wUy08XhRsMqEOb+ByuGbGJ99ulL3v9HLkHsJZenEhgrsvf20aa61xiTvYUoGEhUZEPdly5xR4FWKYfHb4mWdVYxcA34nszYZugFrWHVwwgiJranZRs6Xm/C2OnwiACN6vdNpDUwN+DoJ07E/CWKb6pMNamscySDieuTgFMWokoxBraVnr4qG3jDZdnyd5mvRyFUyRk0nt5YyIk9xfVXxFvv/RcLTB5lFWQV/qb6v6wawT90aiZrQyjfJFCQ69SXl2nV24Jl2GDAOptqduqHUqhMoSTSxO8HeZTpsyPJtRnLLAiZsqvUKufpto7OwNdb6iV5VPwGu3GunT96NIhUgxarP3yfNWUnLO47HwPvUHNHpEmqz8Z5zkaLKb+g9/e+0zX9u/eNu4YLOzpIHGMIHDoAMCAReigbsEgbjQMuS1AOIDFaYQStjDhsmJPBufL5OKNPaPmtx/kTJawub5Kr/UiLoYe+n8DKaD4vjyH87+XWyK+Oa3OKG+pyvf4Y4Q7qaCthOC1DGYZOuOrtcu887VG35IKPe4O3w+62+058s6SeC2oE2Q8RHvKYZBe+HQZUZlZ4wyeEw6tiq+oiKCTrhfyhDqQYmTZQTmMEBJDWaDXhIdJnzYnxgaKyL0Q6uuo4NG8p/jPOL0+brpiPJBElNKVAuo
    
    HTTP/1.1 200 
    WWW-Authenticate: Kerberos YIGDBgkqhkiG9xIBAgICAG90MHKgAwIBBaEDAgEPomYwZKADAgEXol0EWzgjfFXyd2Cnm+l7p59pPsVJpLFhSq/zsi3yzvnrj3bU8hKn1NyWOkjs/Xzpxouom3lPVNJR4Ocer6jknUiL5J07jInFj2ONVxxZ+dgmJ83t5dNZGXfFBMqljaI=
    Server: Microsoft-HTTPAPI/2.0
    Date: Fri, 23 Aug 2013 13:50:10 GMT
    Content-Length: 0
    
    POST /wsman HTTP/1.1
    Content-Length: 2128
    Content-Type: multipart/encrypted;protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"
    Host: WIN-S2008R2-AD:5985
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
    
    --Encrypted Boundary
    Content-Type: application/HTTP-Kerberos-session-encrypted
    OriginalContent: type=application/soap+xml;charset=UTF-8;Length=1856
    --Encrypted Boundary
    Content-Type: application/octet-stream
    ...binary...--Encrypted Boundary
    HTTP/1.1 400 
    Server: Microsoft-HTTPAPI/2.0
    Date: Fri, 23 Aug 2013 13:50:10 GMT
    Connection: close
    Content-Length: 0
    

    I've tried getting more information by tracing WinRM as suggested in the previous thread, but I have been unable to interpret the result.

    How can I get more information about what is going wrong? All help and any pointers are appreciated!

    Regards, Vincent.

    Friday, August 23, 2013 1:58 PM

Answers

  • Hi Vincent,

    I am more than happy to help you with the specifications.

    From your posted information I can see that you are working with a Windows 2008R2 server. So, as you correctly point, [MS-WSMAN] is one of the specifications to look at but you also need to take a look at [MS-WSMV].

    As with all of our protocol related documents, section 1.2 points to all of the references that are involved in the specification.

    I would recommend that you pay close attention to [MS-WMSV] section 2.2.9.1 (Encrypted Message Types) since it describes the areas you are having issues with.

    You will see that RFC 4121 is listed as a reference for the Kerberos protocol. To expand your read about Kerberos should you need it, you can also look at [MS-KILE] which describes the protocol extensions to the above mentioned RFC.

    Please feel free to contact us regarding any question that you may have regarding our specifications.

    Let me add that you can contact us through these forums or through email at: dochelp@microsoft.com

    Thanks and regards,

    Sebastian


    SEBASTIAN CANEVARI - MSFT Escalation Engineer Protocol Documentation Team

    Monday, August 26, 2013 4:03 PM

All replies

  • Hi Vincent, thank you for your question. A member of the protocol documentation team will respond to you soon.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Friday, August 23, 2013 3:29 PM
    Moderator
  • Hi Vincent,

    I'll be assisting you with this request.

    Before we begin, I need to make sure that you are in the right forum and if not, I need to understand where to direct you to.

    Are you using our protocols specifications? If so, what document/section are you having issues with?

    Thanks and regards,

    Sebastian


    SEBASTIAN CANEVARI - MSFT Escalation Engineer Protocol Documentation Team

    Friday, August 23, 2013 3:57 PM
  • Hi Sebastian,

    Thank you for your reply.

    Actually, I would very much like to work from a specification, but I have not been able to find the right one. So far I have reverse-engineered the Ruby code of Dan's WinRM client <https://github.com/zenchild/WinRM> and absorbing the information in the previous post <http://social.msdn.microsoft.com/Forums/en-US/db7ab0da-3bee-4965-a03f-0e3316e606da/wsman-winrm-message-encryption>

    The only specification I have been able to find so far is [MS-WSMAN] Web Services Management Protocol Extensions for Windows Server 2003 but that does not seem to give me a lot of information, neither on the WinRM SOAP messages nor on the Kerberos encryption.

    Can you refer to the correct protocol specification?

    Thank you! Kind regards, Vincent.

    Monday, August 26, 2013 7:36 AM
  • Hi Vincent,

    I am more than happy to help you with the specifications.

    From your posted information I can see that you are working with a Windows 2008R2 server. So, as you correctly point, [MS-WSMAN] is one of the specifications to look at but you also need to take a look at [MS-WSMV].

    As with all of our protocol related documents, section 1.2 points to all of the references that are involved in the specification.

    I would recommend that you pay close attention to [MS-WMSV] section 2.2.9.1 (Encrypted Message Types) since it describes the areas you are having issues with.

    You will see that RFC 4121 is listed as a reference for the Kerberos protocol. To expand your read about Kerberos should you need it, you can also look at [MS-KILE] which describes the protocol extensions to the above mentioned RFC.

    Please feel free to contact us regarding any question that you may have regarding our specifications.

    Let me add that you can contact us through these forums or through email at: dochelp@microsoft.com

    Thanks and regards,

    Sebastian


    SEBASTIAN CANEVARI - MSFT Escalation Engineer Protocol Documentation Team

    Monday, August 26, 2013 4:03 PM