KRB5 Windows plugin for 3.1

[Seth Walsh]

I've written a KRB5 Kerberos plugin for pgina 3.1, and have successfully tested it within the pgina simulation.  Once I do a little more testing in a live environment I'd be willing to share that source with anyone as I know others have asked for it.

Seth Walsh
Marriott Library University of Utah

[Hans Wurst]

Im very interested in this new plugin

If you dont mind, a doc file would be nice too like
https://raw.githubusercontent.com/pgina/docs/gh-pages/v3.1/ldap.md

I know its not christmas
but a small debian VM image would be nice to run some tests

[Nate Yocom]

Indeed - no doubt others would find this plugin useful! 

Nate

--
You received this message because you are subscribed to the Google Groups "pgina-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pgina-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Seth Walsh]

Ok so we've completed our first stages of testing and everything seems to be working as expected (with 1 caveat that I'll explain later).  We can successfully authenticate users from either a machine in a domain, or a non domain machine (the goal of the project), and complete the logon process.  So I feel comfortable handing out this code for anyone to use at this stage, or improve on  / add suggesstions.

The way it works is by having 2 dll's.  The primary being a normal pGina c# dll that calls to an unmanaged dll to do the actual building of the security structures and making the windows sspi kerberos calls to authenticate.  That unmanaged dll will return a result which is parsed by the c# dll and either reports success or various error messages.

It's a single VS 2010 solution with the various projects inside, including a small console tester project so you can quickly test your authentication for a given user, pass, domain, spn target.

Here is a link to the github repository:

KRB5-pGina-plugin

Now the caveat...

So one thing I've noticed is that when entering the authentication stage for my plugin the UserInformation does not seem to have the Domain set.  This is needed by the unmanaged portion of the code to create the SEC_WINNT_AUTH_IDENTITY so, for now, I'm setting it manually.  When I finish the Configuration portion that will allow you to enter it there instead of in the source itself.

[David Wolff]

Hi Seth,

Rather than creating a separate, managed DLL, have you considered using pInvokes from C#?

http://pinvoke.net/default.aspx/secur32/AcquireCredentialsHandle.html

http://pinvoke.net/default.aspx/secur32/InitializeSecurityContext.html

Cheers,

David

[Seth Walsh]

Hi David,

Initially I was using P/Invoke to call AcquireCredentialsHandle() and InitializeSecurityContext() however I kept running into problems with creating the security principal.  InitializeSecurityContext() would always return with SEC_E_NO_CREDENTIALS error.  It is most likely doable, but I am not the best at using IntPtr's and trying to replicate the c++ structure

typedef struct _SEC_WINNT_AUTH_IDENTITY {
  unsigned short __RPC_FAR *User;
  unsigned long            UserLength;
  unsigned short __RPC_FAR *Domain;
  unsigned long            DomainLength;
  unsigned short __RPC_FAR *Password;
  unsigned long            PasswordLength;
  unsigned long            Flags;
} SEC_WINNT_AUTH_IDENTITY, *PSEC_WINNT_AUTH_IDENTITY;

and then pass in an IntPtr to the authData parameter for the AcquireCredentialsHandle() was taking longer for me than having a separate unmanaged DLL.  If anyone, who is more familiar with pointers in managed code than I am, wants to take a shot at getting that to work I think P/Invoke usage and combining both DLL's into a single managed DLL would be ideal.

[Oluwatosin Oluwadare]

I was able to use the plugin at run time testing but getting to use it with already set up kerberos 5 it became really tricky, can you please provide some sort of documentation on the two dlls you mentioned.

[Seth Walsh]

Sure, it's pretty busy here at work this week, but should free up some time here shortly and I'll write up a bunch of doc on the 2 dll's, and how they work for us.

Seth

[Yanko Hurts]

Seth, I know it's being almost one year since the last post but any update on this plugin? I think it will be an unvaluable contribution.

I'm about to port the old 2.x plugin but wanna hear your news first.

http://sourceforge.net/p/pgina/code/HEAD/tree/Plugins/Kerberos5/

Regards.

[Seth Walsh]

Hey Yanko,

Sorry I got assigned to other work for a while, but now we're about ready to rollout the PGina environment to all our labs as we remove ourselves from our Windows domain on about 800 machines so I will get around to combining the 2 .DLL files into a single .DLL pGina plugin here shortly.  Give me a week or 2 but I'll keep this thread up to date.

[Seth Walsh]

Ok for anyone who wants to use Kerberos to authenticate through pGina 3.x I've gone back over the project and fixed it so that there is a single DLL file now.  I've uploaded the VS 2010 solution to my github and will provide a link below.

 One of the biggest headaches was the fact that a lot of the authentication calls and structures in Windows are still in C++ and would have been a nightmare to try and get all the memory management ported over to make sure they functioned correctly.  The simplest solution was to keep all that contained within a small C++ file with a single function that does the actual Kerberos authentication and takes in the user's information from pGina.  Then I simply added a reference to that DLL to my pGina plugin and make a single function call to authenticate.  

Once you've downloaded the solution make sure that the "authdll" C++ project is set to Debug mode and not Release or you're going to have a big headache converting all the char* to wchar*, char* to shorts, etc etc.  Feel free if you want to, but it wasn't needed for us so I chose the simpler route.  

Set the "krb5Auth" project to Release.  Then compile the solution.  

This will give you the pGina.Plugin.krb5Auth.dll file.  Copy that to pGina plugins Contrib folder.

To utilize the plugin you MUST set your krbtgt realm.  I've added a configuration window that allows you to set that and should store it in the registry under the pGina settings. 

That's it.  It should work for you, let me know if you have any issues or other questions.  There is also a readme in the Github link that goes over all that again.

https://github.com/sethwalsh/pGina-Kerberos-Authentication/tree/master

Seth Walsh

University of Utah

seth....@utah.edu

[Bryson Tanner]

Seth,

Thanks for the development! Visual Studio, however, is unable to find the .vcxproj file for authdll because it is still pointed at a local D:\ drive. Is that an essential part of this solution? If so, would you be able to include that file on github (or point me to it if I missed it).

Thank you very much!