Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Thu, 5 Jun 2008 13:03:02 -0700,    group: microsoft.public.platformsdk.security        back       


Active Directory and use of SSPI EncryptMessage/DecryptMessage    
(Resposting on platformsdk.security, was originally on 
windows.server.active_directory).

I'm using Java JNDI to talk to ADAM / LDS. I wanted to use pass-through
authentication so I wrote a custom SASL client for JNDI that implements
GSS-SPNEGO, using native SSPI calls.

I've been able to avoid the need for encrypting messages by requesting no
context attributes during the SSPI bind process, so that the completed
context does not have the ISC_RET_INTEGRITY flag - and hence communication
proceeds using plain LDAPv3, which JNDI can do just fine. So far, things are
working great.

However, I've discovered that when my client code runs on Server 2008, the
resulting context contains ISC_RET_INTEGRITY, ISC_RET_REPLAY_DETECT and
ISC_RET_SEQUENCE_DETECT even though I did not requested them. As a result,
messages must undergo GSS wrap/unwrap when communicating with the server to
satisfy the integrity requirement.

I presume this means calling EncryptMessage / DecryptMessage on the bytes,
so I do this in GSSAPI style following the reference code at

http://msdn.microsoft.com/en-us/library/ms995352.aspx

My EncryptMessage call succeeds (and interestingly SecPkgSizes.cbBlockSize,
and consequently the the third buffer (SECBUFFER_PADDING) size is always
zero). I then concatenate the three buffers in the same order and send it
over the wire. However, AD does not seem to like this, and returns a message
which contains (after calling DecryptMessage on it):

LdapErr: DSID-0C06042B, comment: Error decrypting ldap message, data 0,
v1771.Å .1.3.6.1.4.1.1466.20036


So:

1. Is there any way to avoid Vista / Server 2008 setting the
ISC_RET_INTEGRITY flag when I use InitializeSecurityContext when running on
that platform? I know the server is not requiring this, since when I run the
same client code on XP talking to LDS on Server 2008, the flags are not set.
So it must be the SSPI client code on Vista that is forcing it.

2. If not, is there any more complete reference code for the correct way to
invoke EncryptMessage / DecryptMessage, and how to format the resulting
message from the buffers when talking to AD after a GSS-SPNEGO bind? Is it
GSS style messages and I'm screwing it up somehow, or does it expect messages
of a somewhat different format?

Thanks in advance for any pointers...

Doug
date: Thu, 5 Jun 2008 13:03:02 -0700   author:   clarkd4

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us