I am working on enabling Kerberos authentication/delegation in my application.
My setup: The client is any web browser. The server runs on Windows and hosts some of my services, with Apache/Tomcat as the front end. The server can delegate work to one or more of my services on one or more machines. My services run in Java, but invoke C++ code via JNI and the C++ code makes the connection to the data sources (via ODBC for most relational data sources). Currently I am working on connecting to SQL Server via its ODBC driver.
I have mod_auth_kerb set up in Apache, and that is able to authenticate the user using Kerberos. My question: How do I use the established security context to impersonate the thread which will invoke the ODBC driver's SQLDriverConnect call? I have a working prototype that uses LogonUser and ImpersonateLoggedonUser API's to login a particular user (using her username and password) and impersonate her on the thread that invokes the SQLDriverConnect call on the SQL Server ODBC driver. But I don't know how to use GSSAPI's established security context/delegated context (gss_ctx_id_t/gss_cred_id_t) to impersonate my thread. In other words, how do I convert the GSSAPI's handles into SSPI handles so that I can invoke ImpersonateSecurityContext or ImpersonateLoggedonUser or similar Win32 API's.
Any help would be appreciated. Thanks!
Ed
Related
I have a .NET Application and a Windows Service, both run on the same machine. Application runs in a non-administrative user session.
Application communicates with Service via TCP.
Is there a way to secure this communication using standard API?
I need to ensure that Service accepts connections from my Application only, and it is not altered.
For instance, service requests OS to issue a security token, which can only be read by my Application executable with original control sum, then Application reads the token, sends it over to my Service when establishing the connection, and Service requests OS to verify it - something like that.
Let's assume we can not get password of the current user, only username and domain if necessary. Is it possible to get a session token or something similar to authenticate with remote service using LDAP authentication?
UPDATE
I am writing a c# app that would get info from a web service written in Python.
Remote web service uses python LDAP module to manage LDAP users and authentication. I'd like to use logged in windows user identity info to log into remote service. I can modify the authentication logic in remote web service if "token based" or similar authentication is possible.
You didn't say what type of application you're using, but the only way to do this is with Windows Authentication. For a web application, the web server (IIS, Apache, etc) would handle the authentication and give you the name of the authenticated user.
In ASP.NET, the implementation also depends on if you're using the .NET Framework or .NET Core.
To give you any more information, you will need to specify what type of application you're working on and on which OS.
I have a legacy application, which connects to the configured Oracle database.
It seems it has some logic that alters the database credentials as it is unable to successfully log in to the Oracle database, while sqlplus started on the same machine is able to log in.
The error I am getting is: [DataDirect][ODBC Oracle Wire Protocol driver][Oracle]ORA-01017: invalid username/password; logon denied
How to find out what is the database username and password that are sent to the database?
What I have tried so far:
Enabled auditing of failed sign-on attempts on Oracle (audit create session whenever not successful). It does not solve the issue, because it only logs the username, which seems to be correct, without the password.
Used a sniffer to eavesdrop the network traffic between the machine running the application and the database, but since Oracle's TNS protocol is encrypted, it did not help a lot.
Started a server using netcat on port X, provided port X in the application configuration file. The application did connect to my server, that is how I know the application is connecting to the correct server. But since the TNS protocol is pretty complex (requires a series of messages to be exchanged between the client and the server) I hope there is a simpler why of achiving what I want without having to reverse engineer Oracle and implementing my own server.
Enabled tracing of the JDBC driver (Trace=1, TraceFile, TraceDll). The trace file shows the correct username, but obviously the password is not getting logged.
My environment:
Database: Oracle 11g
Application runs on: Solaris
Application uses: DataDirect ODBC Oracle Wire Protocol v70
I not sure, but if connection established by ODBC driver (as described in question tags) then you can try ODBC sniffing tools like ODBC Tracing.
Citation:
Password "Sniffing" Using Trace
ODBC provides a means for tracing the conversation taking place between the driver and the host database. Used by developers for testing purposes, the tracing feature is designed to help programmers find out exactly what is going on and to help fix problems. However, tracing (also called "sniffing") can be used by nefarious bad guys to retrieve user passwords.
When tracing is enabled, communications with the host are written to a file. This includes the user ID and password, which are captured in plain text.
Update
SQLPlus connects to Oracle with OCI interface, but DataDirect ODBC driver uses it's own proprietary implementation of communication protocol. So, most probable point of failure is driver misconfiguration or incompatibility.
DataDirect provides some tools for ODBC drivers diagnostics, but only option applicable to case described in question is using snoop utility, which acts like a netcat which already tried.
Because connection failed at credential verification stage, the most probable source of error is using localized symbols for user name or password. There are some issues with Oracle authentication process, listed in DataDirect Knowledge Search (search for ORA-01017).
It seems that DataDirect provides two separate version of driver with and without Unicode support, therefore one of possible points of failure is to connecting with non-Unicode version of driver to Unicode version of database and vice verse.
P.S. For now I don't have any experience with DataDirect ODBC driver. So it's only suggestions about possible source of failure.
I'm trying to extend a windows service I've written to accept a kerberos ticket from a client and then delegate that ticket to an ODBC driver so it can connect to another server with it.
The ODBC driver works with kerberos authentication fine in a standalone scenario. That is, it can request and forward on a ticket for the current user just fine. But in my service, I may be dealing with multiple users at once. How do I accept a ticket so that when I connect to the ODBC driver it discovers and uses the correct user's ticket?
One possibility I can think of is to create a new process as the desired user by using the ticket. However, I would really like to avoid this if possible as it does not fit well within the current architecture of my service.
(Note: My service is written in C/C++ with the Win32 api)
I found the answer to my own question.
After authenticating a security context, I can use the ImpersonateSecurityContext function. This will cause the current thread to run as client who initiated the security context. From that thread I can call the connection functions for the ODBC driver and it will authenticate as the correct user.
http://msdn.microsoft.com/en-us/library/aa375497%28v=vs.85%29.aspx
We are trying to shape up an old, 2 tier, Delphi based application. It originally uses database authentication, we'd like to transform the db user accounts to global users, so an OID server could perform the authentication instead of the database.
The Delphi program can no longer log into the database if the account is a global user. I'm trying to understand the login protocol, so far without results.
Similar thing happens with SQLDeveloper, I can't connect as a global user. SQLPlus however works with both kinds of users. We checked the information flow with Wireshark. When the dbserver asks back for a password, the SQLPlus sends it, while the SQLDeveloper doesn't send a password when attempting to connect as a global user.
The client sends the application name too in the login request. Is it possible that we have to store the client app name in the LDAP itself?
To connect to Oracle using OID, application must properly configure OCI (Oracle Call Interface). The data access components (which one ?), you are using, must set OCI_ATTR_DISTINGUISHED_NAME session attribute. If that is not done, then you will be not able to connect to Oracle server using ODI and OCI.
You should check your components documentation for this feature. And if it is not implemented, then discuss this issue with the components vendor. Actually, there is not much work to implement, but some work to setup testing environment is required ...