Python3 LDAP3/GSSAPI authenticate Active Directory with negotiate token got from browser

96 Views Asked by Crafty At 18 January 2024 at 09:55

Hello i have a local web app running as windows service, this web app receive a negotiate token from the browser, my service need to check that user token is valid (passworless based on windows login)

i have this little piece of code to demonstrate the problem :

from ldap3 import Server, Connection, Tls, SASL, GSSAPI
import ssl

base64token = 'YH8GBis.(not complete for security)...'
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('my_active_directory.local', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI,sasl_credentials=(base64token,))
c.bind()
print('user authenticated :{}'.format( c.extend.standard.who_am_i()))
c.unbind()

I got this error :

Traceback (most recent call last):
  File "C:\DEV\pyLdap3-gss\testGSSapi1.py", line 12, in <module>
    c.bind()
  File "C:\python37-64\lib\site-packages\ldap3\core\connection.py", line 615, in bind
    response = self.do_sasl_bind(controls)
  File "C:\python37-64\lib\site-packages\ldap3\core\connection.py", line 1343, in do_sasl_bind
    result = sasl_gssapi(self, controls)
  File "C:\python37-64\lib\site-packages\ldap3\protocol\sasl\kerberos.py", line 111, in sasl_gssapi
    return _windows_sasl_gssapi(connection, controls)
  File "C:\python37-64\lib\site-packages\ldap3\protocol\sasl\kerberos.py", line 280, in _windows_sasl_gssapi
    channel_bindings=get_channel_bindings(connection.socket))
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

if i remove the "sasl_credentials=(base64token,)" it authenticate correcly with current user, if i runit as service it authenticate as a Machine not a user, which is not good.

So how to correctly use the token.

Note : the base64Token decoded contains "NTLMSSP" string, is it compatible with ldap3/GSSAPI ?

Thanks for your reply

EDIT : Seems sasl_credentials is an array with ['host',token]

c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI,sasl_credentials=('my_active_directory.local',b64token,))

Now i have this error : '8009030B: LdapErr: DSID-0C0905E4, comment: AcceptSecurityContext error, data 0, v3839\x00'

Original Q&A

Python3 LDAP3/GSSAPI authenticate Active Directory with negotiate token got from browser

There are 0 best solutions below

Related Questions in PYTHON

Related Questions in SINGLE-SIGN-ON

Related Questions in GSSAPI

Related Questions in LDAP3

Trending Questions

Popular # Hahtags

Popular Questions