I'm trying to implement Negotiate (at least the Kerberos part) in a small web server. I've figured out how to get a client to send me a Kerberos Negotiate Authorization header. I've figured out how to decode that data (ASN.1). I cannot figure out how to turn this into a WindowsIdentity
. I can get a general idea of how I might from KerberosReceiverSecurityToken
, but I can't find anything like a NegotiateReceiverSecurityToken
. I've been digging through lots of DLLs and I can't for the life of me figure out where IIS/.NET processes the Negotiate header.
I presume (if I had my own SspiWrapper
) that I would do something with SspiWrapper.AcquireDefaultCredential("Negotiate", CredentialUse.Inbound)
to acquire an SSPI context with which I could call AcceptSecurityContext/Negotiate
and then use QuerySecurityContextToken
to get the token with which I could create a WindowsIdentity
.
But KerberosReceiverSecurityToken
makes that look like an immensely complicated process. And without any idea of how to do that or what part of the Authorization header payload to put into it, I could probably beat my head against it for a month without getting anywhere.
(Before you ask or answer, I have absolutely no interest in using the built in Negotiate logic. If I could find it, I would learn from it, but I've been trying to get that to work for FAR to long. And I'm done with that.)
Secur32.AcquireCredentialsHandle
to get a handleSecur32.AcceptSecurityContext
passing the handle and the tokenSecur32.QuerySecurityContextToken
passing the security contextnew WindowsIdentity(hToken)
using the output form step 4If you have any questions about any of these steps, I can elaborate and/or provide some sample code.