What TargetName to use when calling InitializeSecurityContext (Negotiate)?
Asked Answered
C

4

21

The Question

When calling InitializeSecurityContext, what value do i pass to the TargetName parameter?

Revised Background

I'm calling the function InitializeSecurityContext:

InitializeSecurityContextA(
      @pAS.hcred,           //[in] credentials
      phContext,            //[in] optional] Context handle structure
      pszTargetName,        //[in, optional] Target name
      0,                    //[in] context requirements
      0,                    //[in] reserved1, must be zero
      SECURITY_NATIVE_DREP, //[in] target data representation
      pInput,               //[in] optional] SecBufferDescription
      0,                    //[in] reserved2, must be zero
      @pAS.hctxt,           //[in, out] pointer to context handle structure
      @OutBuffDesc,         //[in, out] pointer to SecBufferDesc
      ContextAttributes,    //[out] context attributes
      @lifetime);           //[out] expiration timestamp

What do i pass to pszTargetName?

I've tried

  • null: InitializeSecurityContextA(@pAS.hcred, phContext, null, ...);
  • "": InitializeSecurityContextA(@pAS.hcred, phContext, "", ...);
  • "spn/HOSTNAME": InitializeSecurityContextA(@pAS.hcred, phContext, "spn/HOSTNAME", ...);
  • spn/HOSTNAME.DOMAIN.COM: InitializeSecurityContextA(@pAS.hcred, phContext, "spn/HOSTNAME.DOMAIN.COM", ...);
  • "cargocult/PROGRAMMING": InitializeSecurityContextA(@pAS.hcred, phContext, "cargocult/PROGRAMMING", ...);
  • "http/TFS.DOMAIN.COM": InitializeSecurityContextA(@pAS.hcred, phContext, "http/TFS.DOMAIN.COM", ...);
  • "http/HOSTNAME": InitializeSecurityContextA(@pAS.hcred, phContext, "http/HOSTNAME", ...);
  • "qwertyasdf": InitializeSecurityContextA(@pAS.hcred, phContext, "qwertyasdf", ...);

  • "AuthSamp": InitializeSecurityContextA(@pAS.hcred, phContext, "AuthSamp", ...);

They all either fail, or downgrade to NTLM.

Note: My machine is domain joined, but the domain is not named domain.com, or even hostname.domain.com, or even qwertyasdf. So i'm not surprised that those attempts fail. But people said try things like http/HOSTNAME, so i put in http/HOSTNAME.

Background

The InitializeSecurityContext (Negotiate) function has an optional TargetName parameter:

pszTargetName [in, optional]

A pointer to a null-terminated string that indicates the service principal name (SPN) or the security context of the destination server.
Applications must supply a valid SPN to help mitigate replay attacks.

What is this supposed to be?

More Background

i am trying to validate a set of user's credentials, e.g.:

Boolean ValidateCredentials(String username, String password, String domain)
{
   ...
}

Validating a set of user's credentials requires using the SSPI API. The first function to call is InitializeSecurityContext. One of the parameters to InitializeSecurityContext is a "TargetName" string.

i've tried leaving it null, but the Application Verifier triggers a breakpoint, writing out the error:

VERIFIER STOP 00005003: pid 0xF08:
InitializeSecurityContext uses NULL target or malformed target for Kerberos service.
Please see pszTargetName for the value of the target.
00000000 : Not used.
00000000 : Not

At this point it would be helpful to remember that the Negotiate provider will attempt to use Kerberos, but fallback to NTLM. In the case of Negotiate, Kerberos or NTLM, the TargetName parameter is documented to be:

Service principal name (SPN) or the security context of the destination server.

But then what should i pass?

i tried doing what the SSPI Knowledge Base article does, nothing (i.e. pass NULL):

How to validate user credentials on Microsoft operating systems

ss = _InitializeSecurityContext(
        &pAS->hcred,
        pAS->fInitialized ? &pAS->hctxt : NULL, 
        NULL,        //<-------pszTargetName
        0, 
        0,
        SECURITY_NATIVE_DREP, 
        pAS->fInitialized ? &sbdIn : NULL,
        0, 
        &pAS->hctxt, 
        &sbdOut, 
        &fContextAttr, 
        &tsExpiry);

But nothing (i.e. NULL) doesn't work.

Note: The KB article was massivly rewritten in 2007. In its original 1999 incarnation they passed "AuthSamp" as the target, but that also fails.

Bonus Chatter:

service principal name
(SPN) The name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication

security context
The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.

Bonus Chatter 2

From the application verifier documentation:

The Verifier plug detects the following errors:

  • The NTLM package is directly specified in the call to AcquireCredentialsHandle (or higher level wrapper API).

  • The target name in the call to InitializeSecurityContext is NULL.

  • The target name in the call to InitializeSecurityContext is not a properly-formed SPN, UPN or NetBIOS-style domain name.

  • The latter two cases will force Negotiate to fall back to NTLM either directly (the first case) or indirectly (the domain controller will return a “principal not found” error in the second case causing Negotiate to fall back).

  • The plug-in also logs warnings when it detects downgrades to NTLM; for example, when an SPN is not found by the Domain Controller. These are only logged as warnings since they are often legitimate cases – for example, when authenticating to a system that is not domain-joined.

In my case the domain i am validating against is null (since i don't know the machine's domain name, or even if there is a domain). But the results are the same if the hard-code my development machine's domain name.

Update 3

Values of pszTargetName that trigger AppVerifier error, but logon succeeds:

  • null
  • ""
  • "AuthSamp"
  • "qwertyasdf"
  • *the name of the domain i'm validating against (e.g. "avatopia.com")
  • *the name of the domain the machine is joined to (e.g. "avatopia.com")
  • *the name of the domain the user account is located in (e.g. "avatopia.com")

Values of pszTargetName that do not trigger an AppVerifier error, but logon fails:

  • "http/HOSTNAME"
  • "http/TFS.DOMAIN.COM"
  • "frob/GROBBER"
  • "cargocult/PROGRAMMING"
  • "spn/HOSTNAME"
  • "spn/HOSTNAME.DOMAIN.COM"

Values of pszTargetname that do not trigger an AppVerifier error, and logon succeeds:

  • none

Update 4

What i'm trying to do: figure out if a username/password is valid.

  • i have a username: e.g. "ian"
  • i have a password: e.g. "pass1"

Now there's the further wrinkle that the account ian could be a local account or a domain account. And you need to decide if ian is a local or domain account before you can ask. This is because ian can have two accounts:

  • ian on domain stackoverflow.com
  • ian on local machine

So i need to specify if i want to:

  • ask a particular domain (e.g. stackoverflow.com), or
  • ask the local machine (which i'll represent as ".")

Now we can come up with a cross reference:

Username  Password  Domain             Machine on domain?  Validate as
========  ========  =================  ==================  ==============
iboyd     pass1     .                  No                  Local account
iboyd     pass1     (empty)            No                  Local account
iboyd     pass1     stackoverflow.com  No                  Domain account

iboyd     pass1     .                  Yes                 Local account
iboyd     pass1     (empty)            Yes                 Domain account
iboyd     pass1     stackoverflow.com  Yes                 Domain account

Update 5

It might help to explain what i'm trying to do, then maybe how to do it will become easier. Lets say i walk into a random office building downtown, walk into a random cubicle, and type in a random username and password:

enter image description here

i'm going to try to login to the domain TURBOENCABULATOR. i specified i want to try to authenticate against the TURBOENCABULATOR domain by prefixing my username as:

TURBOENCABULATOR\ian

Note: i highly doubt the network has a domain called turboencabulator, since the name itself only comes from Rockwell automation. The attempt to login will almost certainly fail. But how does Windows check them?

How does Windows attempt to validate these credentials? How does Windows validate the credentials:

  • Username: ian
  • Password: pass1
  • Domain: TURBOENCABULATOR

Does Windows use the Security Support Package Interface? Assuming windows uses Negotiate or Kerberos for authentication, what does Windows pass as the pszTarget parameter? Almost certainly the credentials i enter will not be valid. How will Windows determine if they are valid? What API will Windows call to validate the credentails?

Windows is able to validate credentails. I want to also validate credentials.

Perhaps instead of trying to connect to the TURBOENCABULATOR domain, i try to connect to the turboencabulator.com domain by prepending the domain to my username as turboencabulator.com\ian:

enter image description here

Same question applies. How does Windows validate credentials? i want to do what Windows does. Assuming Windows uses kerberos for authorization, what does Windows pass as the pszTargetName parameter in SSPI?

Perhaps instead of trying to connect to the turboencabulator.com domain, i try to connect to the turboencabulator.net domain:

enter image description here

Note that in this example i've appended the domain name to my username, rather than prepending it.

Perhaps instead of trying to connect to the turboencabulator.net domain, i try to validate the user as a local (machine) account by prefixing my username with .\ as:

enter image description here

How does Windows validate the username and password against the local account database? Does it use SSPI with Negotiate package? If so what value does it pass as the pszTargetName?

People are talking about web servers, http, team foundation server. i really don't know where they're getting that from. Or they talk about editing a user in active directory to ensure something is present - i don't see why i need to edit anything: Windows doesn't edit anything.

What TargetName do i used when calling InitializeSecurityContext in order to validate a set of credentials?

Bonus Chatter

Here's a chapter from the Application Verifier documentation about why they have a test if someone is mistakenly using NTLM:

Why the NTLM Plug-in is Needed

NTLM is an outdated authentication protocol with flaws that potentially compromise the security of applications and the operating system. The most important shortcoming is the lack of server authentication, which could allow an attacker to trick users into connecting to a spoofed server. As a corollary of missing server authentication, applications using NTLM can also be vulnerable to a type of attack known as a “reflection” attack. This latter allows an attacker to hijack a user’s authentication conversation to a legitimate server and use it to authenticate the attacker to the user’s computer. NTLM’s vulnerabilities and ways of exploiting them are the target of increasing research activity in the security community.

Although Kerberos has been available for many years many applications are still written to use NTLM only. This needlessly reduces the security of applications. Kerberos cannot however replace NTLM in all scenarios – principally those where a client needs to authenticate to systems that are not joined to a domain (a home network perhaps being the most common of these). The Negotiate security package allows a backwards-compatible compromise that uses Kerberos whenever possible and only reverts to NTLM when there is no other option. Switching code to use Negotiate instead of NTLM will significantly increase the security for our customers while introducing few or no application compatibilities. Negotiate by itself is not a silver bullet – there are cases where an attacker can force downgrade to NTLM but these are significantly more difficult to exploit. However, one immediate improvement is that applications written to use Negotiate correctly are automatically immune to NTLM reflection attacks.

By way of a final word of caution against use of NTLM: in future versions of Windows it will be possible to disable the use of NTLM at the operating system. If applications have a hard dependency on NTLM they will simply fail to authenticate when NTLM is disabled.

How the Plug-in Works

The Verifier plug detects the following errors:

  • The NTLM package is directly specified in the call to AcquireCredentialsHandle (or higher level wrapper API).

  • The target name in the call to InitializeSecurityContext is NULL.

  • The target name in the call to InitializeSecurityContext is not a properly-formed SPN, UPN or NetBIOS-style domain name.

The latter two cases will force Negotiate to fall back to NTLM either directly (the first case) or indirectly (the domain controller will return a “principal not found” error in the second case causing Negotiate to fall back).

The plug-in also logs warnings when it detects downgrades to NTLM; for example, when an SPN is not found by the Domain Controller. These are only logged as warnings since they are often legitimate cases – for example, when authenticating to a system that is not domain-joined.

NTLM Stops

5000 – Application Has Explicitly Selected NTLM Package

Severity – Error

The application or subsystem explicitly selects NTLM instead of Negotiate in the call to AcquireCredentialsHandle. Even though it may be possible for the client and server to authenticate using Kerberos this is prevented by the explicit selection of NTLM.

How to Fix this Error

The fix for this error is to select the Negotiate package in place of NTLM. How this is done will depend on the particular Network subsystem being used by the client or server. Some examples are given below. You should consult the documentation on the particular library or API set that you are using.

APIs(parameter) Used by Application    Incorrect Value  Correct Value  
=====================================  ===============  ========================
AcquireCredentialsHandle (pszPackage)  “NTLM”           NEGOSSP_NAME “Negotiate”

See also

Chrisom answered 20/3, 2012 at 14:1 Comment(5)
InitializeSecurityContext is meant to provide authentication credentials securely over a network - using either NTLM or Kerberos. For instance, NTLMSSP authentication over HTTP, or SMB. It's not meant to validate username/password information, just provide it. I'm not saying you couldn't act as a client and a server in order to validate some credentials (that is, feed the results of InitializeSecurityContext back into itself) but that's certainly not the purpose it was built with and I'm skeptical about how it would work.Weslee
@Ian How does Windows authenticate against TURBOENCABULATOR domain? This is a big topic and you should probably buy a Windows Internals book and look at it. The picture that you are posting is not a logon screen. It's a dialog box prompted by Windows when you are trying to access deathstar.avatopia.com via the network. So, yes, that dialog box is going to get the password and does the SSPI for you. However, in general Windows Logon screen itself (WinLogon.exe) is not using SSPI to do the authentication. It's calling LogonUserEx directly.Sherburne
@Harvey Kwok i've updated the pictures to show a user being asked to enter usernames and passwords.Chrisom
@IanBoyd, Hi, Perhaps did you manage to deal with this issue already... I'm using winhttp API to open an http session from client, but the target server has multiple virtual servers. I wonder how do I combine between this interface and the Schannel that you mentioned in the question ( InitializeSecurityContext) ? thanks !Tericaterina
@Tericaterina The only time you would want to use this API is if you will be handling the authentication traffic back and forth yourself. Usually a browser and web-server can handle the authentication back-and-forth themselves. See my accepted answer below for a diagram.Chrisom
C
10

Short Answer

The TargetName is the username that you want to prove your identity to.

In the case of server, the username might be something like:

[email protected]

Background

The Negotiate authentication package will attempt to use Kerberos. If it cannot, it will attempt to fallback to NTLM.

  • You don't want to use NTLM; it is old, deprecated, weak, broken, and should not be used.
  • You want to use Kerberos.
  • In order to use Kerberos you must supply a TargetName
  • Without a TargetName, Kerberos is fundamentally unable the function

The question becomes, given all the parties involved:

  • me (Ian)
  • authenticating with Steve

what TargetName do i specify?

enter image description here

This is where it's important to know what TargetName means to Kerberos:

That's how Steve knows the blob is valid, it was encrypted so only he can decrypt it.

I have to tell Kerberos who i will be giving the encrypted blob to, so the domain controller knows who to encrypt it for.

So in the above list of possible names, three values work:

enter image description here

InitializeSecurityContext(credHandle, context, "[email protected]", ...);    
InitializeSecurityContext(credHandle, context, "stackoverflow.local\steve", ...);    
InitializeSecurityContext(credHandle, context, "steve", ...); //if we're in the same forest

So you can see why my earlier attempts to call InitializeSecurityContext all failed:

InitializeSecurityContextA(credHandle, context, null, ...);
InitializeSecurityContextA(credHandle, context, "", ...);
InitializeSecurityContextA(credHandle, context, "spn/HOSTNAME", ...);
InitializeSecurityContextA(credHandle, context, "spn/HOSTNAME.DOMAIN.COM", ...);
InitializeSecurityContextA(credHandle, context, "cargocult/PROGRAMMING", ...);
InitializeSecurityContextA(credHandle, context, "http/TFS.DOMAIN.COM", ...);
InitializeSecurityContextA(credHandle, context, "http/HOSTNAME", ...);
InitializeSecurityContextA(credHandle, context, "qwertyasdf", ...);
InitializeSecurityContextA(credHandle, context, "AuthSamp", ...);

Because i wasn't specifying Steve as the TargetName; i was specifying something non-sensical:

spn/HOSTNAME

In fairness, people did keep telling me to pass "spn/HOSTNAME".

Extra confusion because flexibility (welcome to SPN)

SPNs Short version

  • when using Kerberos you must specify a username as your TargetName
  • an SPN is an "alias" for a username
  • therefore you can specify an SPN as your TargetName

SPNs Long Version

In the case above i had to know that the "server" code will be running as [email protected].

That's a pain. I mean it's fine when i know it's steve. But if i'm talking to a remote machine, i have to find out the user account that the code is running as?

  • i have to figure out that IIS is running as [email protected]?
  • i have to figure out that SQL Server is running as [email protected]?
  • and what if the service is running as Local Service; that isn't a domain user at all?

Fortunately(?), Kerberos created aliases (called Service Principle Names - or SPNs):

  • if i need to authenticate to the web server http://bugtracker.stackoverflow.local
  • and IIS service is running under the domain account [email protected]
  • rather than have to specify the targetname of [email protected]
  • i can specify HTTP/bugtracker.stackoverflow.local
  • that's because IIS registered an alias with the domain controller
  • HTTP/bugtracker.stackoverflow.local[email protected]

All this requires that you know the SPN if you wish to use it as a TargetName. Various standard Microsoft products register SPNs when they install:

  • IIS: HTTP/[servername]
  • SQL Server: MSSQLSvc/[servername]:1433
  • SMTP: SMTPSVC/[servername]
  • File sharing: HOST/[servername]

These are all undocumented, and make your life hell when one isn't configured correctly.

But by no means do you have to supply a SPN. An SPN is simply an alias designed to make your life easier more difficult.

You can see the SPN associated with a machine account in Active Directory Users and Computers by finding the machine user account,and looking at it's servicePrincipleName attribute. E.g.:

Attribute Value
distinguishedName CN=Vader,CN=Computers,DC=stackoverflow,DC=com
dNSHostName VADER.stackoverflow.com
sAMAccountName VADER$
servicePrincipleName HOST/VADER
HOST/VADER.stackoverflow.com
MSSQLSvc/Vader.stackoverflow.com
MSSQLSvc/Vader.stackoverflow.com:1433
RestrictedKrbHost/VADER
RestrictedKrbHost/VADER.stackoverflow.com
TERMSRV/VADER
TERMSRV/Vader.stackoverflow.com
WSMAN/Vader
WSMAN/Vader.stackoverflow.com
DNS/Vader.stackoverflow.com
GC/Vader.stackoverflow.com/stackoverflow.com
ldap/VADER
ldap/Vader.stackoverflow.com
ldap/Vader.stackoverflow.com/STACKOVERFLOW

And you can query for the userPrincipleName using:

SELECT userPrincipalName FROM "LDAP://dc=stackoverflow,dc=com"
WHERE servicePrincipalName = 'HTTP/ticketsystem.stackoverflow.com'

userPrincipleName
-----------------
vader.avatopia.com

1 row(s) affected

It's roughly equivalent to attempting to specify "stackoverflow.com", rather than simply using "35.186.238.101".

Bonus Chatter - How does SSPI work?

SSPI was designed as a generic wrapper around different security algorithms. The way to use the API is pretty simple:

  • Client: calls InitializeSecurityContext and is given a blob
  • client sends that blob to the server
  • Server: calls AcceptSecurityContext(blob), and is given a blob back
  • server sends that blob back to the client
  • Client: calls InitializeSecurityContext(blob), and is given back a blob
  • client sends that blob back to the server
  • Server: calls AcceptSecurityContext(blob), and is given a blob back
  • ...keep repeating until told to stop...

Both sides keep going back and forth until the function stops returning a blob that needs to be sent to the other side:

enter image description here

And so the with SSPI you do this ping-ponging back and forth until you're told to stop. And so they were able to shoe-horn every authentication scheme into that ping-pong-until-told-to-stop high level abstraction.

How do I transmit the blobs?

You transmit the blobs over whatever communication channel you're using.

If you're talking to a remote server over TCP/IP, then you'd probably use that:

// Open connection to server
sockConnect(162.210.196.166, 1433);

blob = null;

Boolean bContinue = InitializeSecurityContext(ref blob);

while (bContinue)
{
   sockWrite(blob); //send the blob to the server

   blob = sockRead(); //wait for the server to return a blob 

   bContinue = InitializeSecurityContext(ref blob);
}

If you're doing it over http:

blob = null;
Boolean bContinue = InitializeSecurityContext(ref blob);

while (bContinue)
{
    http = new HttpRequest("http://4chan.org/default.aspx");
    http.AddHeader("X-SSPI-Blob", blob.ToBase64());
    http.Send();

    blob = http.ReasponseHeader["X-SSPI-Blob"];
    if (blob.IsEmpty())
       break;

    bContinue = InitializeSecurityContext(ref blob);
}

The SSPI API doesn't care you to get the blob transmitted back and forth - just that you have to transmit it back and forth.

  • using connecting to SQL Server, SQL client driver does the transmitting over the database connection
  • using http, the browser sends the blobs in request and response header

You can even use a carrier pidgeon, Skype, or E-mail if you like.

SPNs? How can I view them?

User aliases, also known as Service Principle Names, or SPNs are added to your Active Directory database. Windows Server comes with a handy MMC snap-in to view the AD database:

  • Name: ADSI Edit
  • Description: A low level Active Directory Services Interface editor.

Go find the server in AD:

  • 📝ADSI Edit
    • 🖥️Screwdriver [Screwdriver.contoso.local]
      • 📁CN=Computers
        • 📁CN=Hydrogen

Hydrogen is the name of a machine. But machines get their own user accounts in Active Directory:

  • Computer name: Hydrogen
  • Computer account name: Hydrogen$

And then in the servicePrincipleName attribute, you will see a list of SPNs for this computer account (i.e. [email protected]):

  • HOST/HYDROGEN
  • HOST/HYDROGEN.contoso.local
  • MSSQLSvc/Hydrogen.contoso.local
  • MSSQLSvc/Hydrogen.contoso.local:1433
  • RestrictedKrbHost/HYDROGEN
  • RestrictedKrbHost/HYDROGEN.contoso.local
  • TERMSRV/HYDROGEN
  • TERMSRV/Hydrogen.contoso.local
  • WSMAN/Hydrogen
  • WSMAN/Hydrogen.avatopia.com

So rather than passing:

  • Target: Hydrogen$.contoso.local

You can pass:

  • Target: MSSQLSvc/Hydrogen.contoso.local

And it will resovle it to the username Hydrogen$ for you.

Chrisom answered 21/3, 2018 at 16:18 Comment(0)
S
12

Ian, I think we still don't understand what you are trying to do exactly. In order to help you providing us more information on what you are trying to do, here is a little bit background about SSPI. You may already know this but just to make sure we are on the same page.

SSPI is generally used for authenticating a user over the network. Client calls the AcquireCredentialsHandle to obtain a credentials handle and then create a security context by calling InitializeSecurityContext. Pass the security buffer to server. Note that SSPI doesn't dictate how you pass the security buffer. You can use http, tcp, named pipe whatever you like. Once the server receive the security buffer. Similarly, it calls the AcquireCredentialsHandle first. Then it passes the received security buffer into AcceptSecurityContext and generate new security buffer. In some cases, the newly generated security buffer needs to send back to the client and client passes that into InitializeSecurityContext and generates another new security context again. This SSPI handshaking process continues until InitializeSecurityContext and AcceptSecurityContext both returns SEC_E_OK

Although SSPI was designed for authentication over the network, many applications are actually doing loopback SSPI handshaking, which means both client and server are on the same box. This is really just a special case of the network authentication. The end result of a loopback SSPI handshaking is a authenticated SSPI security context. With this authenticated SSPI, application can do QueryContextAttributes and ImpersonateSecurityContext. Since you seem to have no idea what targetName means, I am guessing you are trying to do the loop back handshaking. I might be wrong though but you need to tell us what you are trying to do.

To understand why targetName is needed in Kerberos but not in NTLM, you need to understand some more underlying implementation.

There are two different ways to acquire a credentials handle. Normally, people specify to use the current security context. (i.e. the account that you used to log onto your machine). You can also provide another set of username/password. Different security package has different meanings on the term credentials. NTLM means that it's going to save a hash of your password. Kerberos means that it's going to save a Ticket Granting Ticket (TGT). To the SSPI programmer, you don't need to worry about this.

Now, when the client passes in the acquired credentials handle into InitializeSecurityContext, similarly, different security package is going to do different things. NTLM is going to generate a NEGOTIATE packet on the first InitializeSecurityContext call. No other machines are involved in the process of generating the NEGOTITATE packet. Kerberos package is very different. It's going to talk to KDC to request a service ticket for the requested service. The service is identified by Service Principal Name (SPN) in Kerberos. I cannot cover all the details here. The net net is that service request for NTLM is untargeted while the service request for Kerberos is targeted. You can use the same NTLM NEGOTIATE packet for different services using NTLM authentication method. However, you need to use different Kerberos service tickets for different services using Kerberos authentication method. That's why when calling InitializeSecurityContext for Kerberos / Negotiate, you need to provide the targetName.

When KDC receives the request of a service ticket, it does a search on its LDAP database and find out which account is associated with the specified servicePrincipalName. The account can be AD user account or AD computer account. The KDC will use the target service account's master key (generated by the account password) to encrypt a session key. This encrypted session key will be passed from the client to the server later on.

Now, remember I said the server also needs to do AcquireCredentialsHandle and I said there are two major approaches to get the credentials handle? I guess your are using the first approach to acquire the credentials handles. That means it is going to use the current security context. In a normal network authentication case, this can be illustrated by the following example. If your sever is a HTTP server, it's going to be the service account of your IIS server. IIS server is going to use its service account master key to decrypt the encrypted session key. Once the session key is obtained, client and server continues the communication using the session key to do the encryption and decryption.

If it is a loop back SSPI scenario, it's trickier. If you are running domain\jane and doing loop back on yourself. You need to specify a SPN for domain\jane. What's the SPN for domain\jane. If you check the AD user object, there is none by default. You need to manually fix it.

There is one thing that used to work for me but it's undocumented. You can specify the user's UPN (i.e. [email protected]) as the SPN. This works for me. You can try it.

If that doesn't work, another way to fix it is to use the second approach to do the server part AcquireCredentialsHandle. Instead of using domain\jane credentials handle, you specify another service account credentials. You can make sure that service account has a correct SPN set. Then, you can use that service account's SPN in your InitializeSecurityContext. Of course, that also means you need to hard code your service account's password in the code. You need to be careful and make sure you completely lock down this service account so that even though the password is stolen, your AD environment is not at big risk.

Sherburne answered 24/3, 2012 at 18:15 Comment(11)
What i'm trying to do: i have a person's username and password, i want to know if they are valid. The extent of my knowledge of SSPI is limited to what came from the knowledge base article How to validate user credentials on Microsoft operating systems (which incidentally is what i want to do - validate user credentials). If a machine is domain joined, then it would probably check with the domain. But it's also possible for a user (and for me) to have a set of local credentials (even on a domain joined machine).Chrisom
Given a username, password, and domain, i'd like to validate those credentials. e.g. "ian","pass1","stackoverflow.com", ask the domain stackoverflow.com if ian/pass1 is correct. If i have "ian","pass1","." ask the local machine if ian/pass1 is a valid local account. If i have "ian","pass1","" on a domain joined machine, ask if ian/pass1 are valid on the domain` If i have "ian","pass1","" on a non-domain joined machine: ask the local machine if ian/pass1 is a valid local account.Chrisom
@Ian Are you talking about his article? support.microsoft.com/default.aspx?scid=http://… This article is using NTLM security package and yes, it's using loop back authenticationSherburne
That article, yes. And i'm also trying to reconcile the issue that NTLM is outdated and should not be used anymore.Chrisom
@Ian Yes, it's possible to make it working properly using Kerberos as long as you provide the correct SPN. The next information I need is the account that you are using to run the loop back SSPI code suggested in that MS article. I can walk you through how to set a SPN on that user account.Sherburne
It's every account, it's any account. This code will be running in a desktop application on any user's desktop. It will be running in software sold to different companies at different sites, with different domain names - or no domain names. None of which i will have physical access to. i'm really confused why this concept is so difficult: i want to check a username and password. The user types in their Windows username and password: i want to know if it's valid. You would think that nobody's ever tried to check credentials before.Chrisom
@HarveyKwok: but Kerberos is limited to domain joined machines, I believe.Weslee
@Ian It's difficult because you took the wrong path. Have you tried using LogonUserEx with LOGON32_LOGON_NETWORK?Sherburne
@Edward Yes, Kerberos is limited to domain joined machine. I didn't aware Ian added a lot of additional information and screenshots in the original questionsSherburne
@HarveyKwok i have tried LogonUser, but it is suffering it's own limitations and bugs (doesn't work with most users on Windows 2000, returns success when an account is disabled). That's why i'm also asking about SSPI. The Windows 2000 limitation is really a problem. The disabled users being able to login is a minor thing - since my company doesn't pay the fine.Chrisom
It's a few years later, but i wanted to mention that i figured it out. The answer is: targetName is the username of the person you are proving your identity to. If i am proving it to myself (i.e. only validating credentials), then it's stackoverflow\Ian - my username in domain\username form. If i was proving my identity to you, i would specify stackoverflow\hkwok. If i was proving my identity to a service running as the active directory user stackoverflow\mssqldaemon, then i would specify stackoverflow\mssqldaemon. Then there are SPNs, which are aliases of usernames - and also workChrisom
C
10

Short Answer

The TargetName is the username that you want to prove your identity to.

In the case of server, the username might be something like:

[email protected]

Background

The Negotiate authentication package will attempt to use Kerberos. If it cannot, it will attempt to fallback to NTLM.

  • You don't want to use NTLM; it is old, deprecated, weak, broken, and should not be used.
  • You want to use Kerberos.
  • In order to use Kerberos you must supply a TargetName
  • Without a TargetName, Kerberos is fundamentally unable the function

The question becomes, given all the parties involved:

  • me (Ian)
  • authenticating with Steve

what TargetName do i specify?

enter image description here

This is where it's important to know what TargetName means to Kerberos:

That's how Steve knows the blob is valid, it was encrypted so only he can decrypt it.

I have to tell Kerberos who i will be giving the encrypted blob to, so the domain controller knows who to encrypt it for.

So in the above list of possible names, three values work:

enter image description here

InitializeSecurityContext(credHandle, context, "[email protected]", ...);    
InitializeSecurityContext(credHandle, context, "stackoverflow.local\steve", ...);    
InitializeSecurityContext(credHandle, context, "steve", ...); //if we're in the same forest

So you can see why my earlier attempts to call InitializeSecurityContext all failed:

InitializeSecurityContextA(credHandle, context, null, ...);
InitializeSecurityContextA(credHandle, context, "", ...);
InitializeSecurityContextA(credHandle, context, "spn/HOSTNAME", ...);
InitializeSecurityContextA(credHandle, context, "spn/HOSTNAME.DOMAIN.COM", ...);
InitializeSecurityContextA(credHandle, context, "cargocult/PROGRAMMING", ...);
InitializeSecurityContextA(credHandle, context, "http/TFS.DOMAIN.COM", ...);
InitializeSecurityContextA(credHandle, context, "http/HOSTNAME", ...);
InitializeSecurityContextA(credHandle, context, "qwertyasdf", ...);
InitializeSecurityContextA(credHandle, context, "AuthSamp", ...);

Because i wasn't specifying Steve as the TargetName; i was specifying something non-sensical:

spn/HOSTNAME

In fairness, people did keep telling me to pass "spn/HOSTNAME".

Extra confusion because flexibility (welcome to SPN)

SPNs Short version

  • when using Kerberos you must specify a username as your TargetName
  • an SPN is an "alias" for a username
  • therefore you can specify an SPN as your TargetName

SPNs Long Version

In the case above i had to know that the "server" code will be running as [email protected].

That's a pain. I mean it's fine when i know it's steve. But if i'm talking to a remote machine, i have to find out the user account that the code is running as?

  • i have to figure out that IIS is running as [email protected]?
  • i have to figure out that SQL Server is running as [email protected]?
  • and what if the service is running as Local Service; that isn't a domain user at all?

Fortunately(?), Kerberos created aliases (called Service Principle Names - or SPNs):

  • if i need to authenticate to the web server http://bugtracker.stackoverflow.local
  • and IIS service is running under the domain account [email protected]
  • rather than have to specify the targetname of [email protected]
  • i can specify HTTP/bugtracker.stackoverflow.local
  • that's because IIS registered an alias with the domain controller
  • HTTP/bugtracker.stackoverflow.local[email protected]

All this requires that you know the SPN if you wish to use it as a TargetName. Various standard Microsoft products register SPNs when they install:

  • IIS: HTTP/[servername]
  • SQL Server: MSSQLSvc/[servername]:1433
  • SMTP: SMTPSVC/[servername]
  • File sharing: HOST/[servername]

These are all undocumented, and make your life hell when one isn't configured correctly.

But by no means do you have to supply a SPN. An SPN is simply an alias designed to make your life easier more difficult.

You can see the SPN associated with a machine account in Active Directory Users and Computers by finding the machine user account,and looking at it's servicePrincipleName attribute. E.g.:

Attribute Value
distinguishedName CN=Vader,CN=Computers,DC=stackoverflow,DC=com
dNSHostName VADER.stackoverflow.com
sAMAccountName VADER$
servicePrincipleName HOST/VADER
HOST/VADER.stackoverflow.com
MSSQLSvc/Vader.stackoverflow.com
MSSQLSvc/Vader.stackoverflow.com:1433
RestrictedKrbHost/VADER
RestrictedKrbHost/VADER.stackoverflow.com
TERMSRV/VADER
TERMSRV/Vader.stackoverflow.com
WSMAN/Vader
WSMAN/Vader.stackoverflow.com
DNS/Vader.stackoverflow.com
GC/Vader.stackoverflow.com/stackoverflow.com
ldap/VADER
ldap/Vader.stackoverflow.com
ldap/Vader.stackoverflow.com/STACKOVERFLOW

And you can query for the userPrincipleName using:

SELECT userPrincipalName FROM "LDAP://dc=stackoverflow,dc=com"
WHERE servicePrincipalName = 'HTTP/ticketsystem.stackoverflow.com'

userPrincipleName
-----------------
vader.avatopia.com

1 row(s) affected

It's roughly equivalent to attempting to specify "stackoverflow.com", rather than simply using "35.186.238.101".

Bonus Chatter - How does SSPI work?

SSPI was designed as a generic wrapper around different security algorithms. The way to use the API is pretty simple:

  • Client: calls InitializeSecurityContext and is given a blob
  • client sends that blob to the server
  • Server: calls AcceptSecurityContext(blob), and is given a blob back
  • server sends that blob back to the client
  • Client: calls InitializeSecurityContext(blob), and is given back a blob
  • client sends that blob back to the server
  • Server: calls AcceptSecurityContext(blob), and is given a blob back
  • ...keep repeating until told to stop...

Both sides keep going back and forth until the function stops returning a blob that needs to be sent to the other side:

enter image description here

And so the with SSPI you do this ping-ponging back and forth until you're told to stop. And so they were able to shoe-horn every authentication scheme into that ping-pong-until-told-to-stop high level abstraction.

How do I transmit the blobs?

You transmit the blobs over whatever communication channel you're using.

If you're talking to a remote server over TCP/IP, then you'd probably use that:

// Open connection to server
sockConnect(162.210.196.166, 1433);

blob = null;

Boolean bContinue = InitializeSecurityContext(ref blob);

while (bContinue)
{
   sockWrite(blob); //send the blob to the server

   blob = sockRead(); //wait for the server to return a blob 

   bContinue = InitializeSecurityContext(ref blob);
}

If you're doing it over http:

blob = null;
Boolean bContinue = InitializeSecurityContext(ref blob);

while (bContinue)
{
    http = new HttpRequest("http://4chan.org/default.aspx");
    http.AddHeader("X-SSPI-Blob", blob.ToBase64());
    http.Send();

    blob = http.ReasponseHeader["X-SSPI-Blob"];
    if (blob.IsEmpty())
       break;

    bContinue = InitializeSecurityContext(ref blob);
}

The SSPI API doesn't care you to get the blob transmitted back and forth - just that you have to transmit it back and forth.

  • using connecting to SQL Server, SQL client driver does the transmitting over the database connection
  • using http, the browser sends the blobs in request and response header

You can even use a carrier pidgeon, Skype, or E-mail if you like.

SPNs? How can I view them?

User aliases, also known as Service Principle Names, or SPNs are added to your Active Directory database. Windows Server comes with a handy MMC snap-in to view the AD database:

  • Name: ADSI Edit
  • Description: A low level Active Directory Services Interface editor.

Go find the server in AD:

  • 📝ADSI Edit
    • 🖥️Screwdriver [Screwdriver.contoso.local]
      • 📁CN=Computers
        • 📁CN=Hydrogen

Hydrogen is the name of a machine. But machines get their own user accounts in Active Directory:

  • Computer name: Hydrogen
  • Computer account name: Hydrogen$

And then in the servicePrincipleName attribute, you will see a list of SPNs for this computer account (i.e. [email protected]):

  • HOST/HYDROGEN
  • HOST/HYDROGEN.contoso.local
  • MSSQLSvc/Hydrogen.contoso.local
  • MSSQLSvc/Hydrogen.contoso.local:1433
  • RestrictedKrbHost/HYDROGEN
  • RestrictedKrbHost/HYDROGEN.contoso.local
  • TERMSRV/HYDROGEN
  • TERMSRV/Hydrogen.contoso.local
  • WSMAN/Hydrogen
  • WSMAN/Hydrogen.avatopia.com

So rather than passing:

  • Target: Hydrogen$.contoso.local

You can pass:

  • Target: MSSQLSvc/Hydrogen.contoso.local

And it will resovle it to the username Hydrogen$ for you.

Chrisom answered 21/3, 2018 at 16:18 Comment(0)
T
2

I am a couple years late to this party... Yesterday, I came across your question while researching my own SSPI issue. This morning as I continued my research, I came across an article by By Keith Brown, from the April 2001 MSDN Magazine, that seems to offer a solution to your question:

Security Briefs - The Security Support Provider Interface Revisited (archive)

by Keith Brown
From the April 2001 issue of MSDN Magazine.

The "Figures" referenced in the article (including the example code) is located here (archive)

The article contains example code which reveals the targetName (for the purpose of password validation) should be a string in the form "Machine\User" or "Domain\User".

I realize you likely found a solution to this issue a long time ago. Furthermore, I cannot certify that the author's code functions correctly on modern Windows platforms (I suspect it would, but I have not validated the behavior)

Hopefully the MSDN article will also be a useful resource to others.

Thymelaeaceous answered 18/7, 2014 at 6:10 Comment(1)
Unfortunately I was not able to locate the April 2001 issue of the MSDN Magazine via the given link any more. :-(Delaney
W
1

It depends a bit on the SPN you're trying to authenticate against. We do NTLM/SPNEGO authentication to HTTP servers (only), and the guidance suggests that HTTP/HTTPS server should register an SPN as http/HOSTNAME. So when we authenticate, we just prepend http/ to the upper-cased hostname. For example, we pass:

http/TFS.DOMAIN.COM

as the target to InitializeSecurityContext, where TFS.DOMAIN.COM is the upper-cased hostname that the user typed to access their TFS server.

We do not try to do any DNS lookups or FQDN matching. If the user simply types http://foo/ then our SPN is http/FOO. This means that the server admin must have configured http/FOO as an SPN.

It's not impossible that a server admin configures a machine, call it FOO and sets up the SPN http/FOO, then exposes this machine on the internet as extranet.domain.com. In that case, they should also configure http/EXTRANET.DOMAIN.COM as an SPN. This can get tricky with load balancers, etc, but this should be the server admin's responsibility.

Weslee answered 20/3, 2012 at 14:16 Comment(13)
What SPN would i use for validating Windows credentials using Negotiate?Chrisom
The SPN should be the same for NTLM or Negotiate - still just http/HOSTNAME, but maybe I don't entirely understand your question...Weslee
While the AppVerifier would trigger a stop, the login attempt would still succeed; no matter if the target was null, "", "AuthSamp" or "qwertyasdf". When i changed the target to "http/HOSTNAME" the logon attempts no longer work. So obviously "http/HOSTNAME" is something that Negotiate is recognizing, but then failing to work. Now i just need to know what i should pass as pszTargetName.Chrisom
I suspect that invalid SPNs (no slash) all route to NULL which AppVerifier will flag as a security issue. Do you have physical access to the server? You should be able to see how its SPN was configured and you can just use that verbatim. However, an admin should have set it up with spn/HOSTNAME and spn/HOSTNAME.DOMAIN.COM. Has the admin set up some DNS name for external access that differs from its internal name? If this is a specialized app you're writing, you can just hardcode the SPN the admin chose, however good form would the admin to setup SPNs for all its hostnames.Weslee
i don't have physical access to the user. This code can be deployed to any number of machines, on any number of networks, on any number of domains, for any number of clients. i just want to know if the username/password is valid. i don't have any information about the domain, or know if the machine is even on a domain.Chrisom
You shouldn't need to know the Windows domain name, you should only need to know the hostname the user typed. At least so goes my understanding. It should not be your responsibility to try to derive what the admin configured (or the domain name, or anything like that) from what the user entered, you should basically just pass it through with minor modifications (prepending the http/ and uppercasing the hostname.) I was hoping you had a test server that you knew the SPN on so that you could at least get a known-good setup working.Weslee
let us continue this discussion in chatWeslee
When i'm walking up to my desktop: how would i know my "spn"? i've never had to type one in before; just my username and password. "you should only need to know the hostname the user typed" No user has ever typed a hostname - i type in my Windows username and my Windows password. What hostname?Chrisom
The hostname of the computer you're connecting to...? Am I totally misunderstanding what you're trying to do? Are you trying to verify a user's credentials to the local machine? Or are you trying to connect to a server over HTTP or some other network protocol?Weslee
i'm trying to verify a user's credentials. The code will be running on some machine - although not limited to the same machine that the user will be typing them in on.Chrisom
i guess i need to point it out, "The hostname of the computer you're connecting to..." What computer? i'm not connecting to a computer. i have a Username and a Password. There is no host name, there is no computer. i have a username and a password (and a domain name if know it's a domain user). There is no host, there is no computer, there is no hostname. What could you possibly be referring to that involves a "host name"? What "host" could you possibly be referring to?Chrisom
I keep referring to the remote host because you're trying to use an API for passing credentials to a remote host. If you want an API for validating credentials, you should try LogonUserWeslee
i've been trying to use LogonUser, but it suffers its own bugs and limitations. So i've been asking SSPI questions in parallel.Chrisom

© 2022 - 2024 — McMap. All rights reserved.