Kerberos for mscertsrv_ca_handler.py

[3engel]

The mscertsrv_ca_handler.py handler doesn't support Kerberos authentications like mswcce_ca_handler.py.
However, using NTLM is a security issue and therefore Kerberos is recommended. Therefore it would be great to support kerberos also for mscertsrv_ca_handler.py.

[grindsa]

You proposal makes sense however the implementation is not that straight forward as it also requires modifications on the certsrv module. I am planning to look into it as part of next release.

As I am not an MS expert. Do you know how to enable Kerberos for on the MS Web Enrollment Service?

[3engel]

Sure. Since the MS Web Enrollment Service is using IIS (Internet Information Services / MS Web Server) the authentication configured there. In IIS under the CertSrv node there is an "Authentication" Option. "Windows Authentication" should be enabled.
In the providers list "Negotiate:Kerberos" should be configured as the only option.

It is also discribed here: https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429#:~:text=Disable%20NTLM%20Authentication%20on%20your,Restrict%20NTLM%3A%20Incoming%20NTLM%20traffic.

Many thanks for considering it.

[grindsa]

Feature made it into v0.35. Thus, closing this issue. In case you have comments feel free to reopen...

[3engel]

@grindsa First of all, thanks a lot for the effort.
I tested implementation and could not get to work. Then I tried to dig deeper in it by extracting the relevant code from certsrv.py parts to do some basic tests.

import gssapi.creds
import gssapi.raw
import gssapi.raw
import gssapi.sec_contexts
import requests
from requests_gssapi import HTTPSPNEGOAuth
import gssapi

username = "USERNAME"
password = "PASSWORD"
realm = "EXAMPLE.COM"
url = "https://winpki.example.com/certsrv"
oid = "1.3.6.1.5.5.2"  # SPNEGO

spnego = gssapi.OID.from_int_seq("1.3.6.1.5.5.2")

gssapiName = gssapi.Name(f"{username.upper()}@{realm.upper()}", gssapi.NameType.user)
accuire_cred = gssapi.raw.acquire_cred_with_password(
    gssapiName, password.encode(), mechs=[spnego], usage="initiate"
)
kerberos_auth = HTTPSPNEGOAuth(creds=accuire_cred.creds, mech=spnego)
response = requests.get(url, auth=kerberos_auth, verify=False)

if response.status_code == 200:
    print("Request was successful")
    print("Response content:", response.content)
else:
    print("Request failed with status code:", response.status_code)
    print("Response content:", response.content)

I never got this working with every kind of combination, I tried. When debugging the response object has a www-authenticate header with value 'Negotiate' only without the kerberos ticket.
Then I tried this:

import subprocess
import requests
from requests_kerberos import HTTPKerberosAuth, REQUIRED

username = "username"
password = "password"
realm = "EXAMPLE.COM"
url = 'https://winpki.example.com/certsrv'

fullUsername = f"{username}@{realm.upper()}"

kinit_command = ['kinit', fullUsername]
process = subprocess.Popen(kinit_command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
process.communicate(input=password.encode())

# Check if kinit was successful
if process.returncode != 0:
    raise Exception("kinit failed")

# Create a Kerberos authentication object
kerberos_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, principal=fullUsername)
response = requests.get(url, auth=kerberos_auth, verify=False)

# Check the response
if response.status_code == 200:
    print('Request was successful')
    print('Response content:', response.content)
else:
    print('Request failed with status code:', response.status_code)
    print('Response content:', response.content)

And that worked instantly. So I guess there is an issue with kerberos and the gssapi lib combined with the requests lib.

I modified certsrv.py and added like so:

elif self.auth_method == "kerberos":
            from requests_kerberos import HTTPKerberosAuth, REQUIRED
            import subprocess

            kinit_command = ['kinit', username.upper()]
            process = subprocess.Popen(kinit_command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            process.communicate(input=password.encode())

            if process.returncode != 0:
                raise Exception("kinit failed with return code {0} for user {1}".format(process.returncode, username))

            self.session.auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, principal=username.upper())

In mscertsrv_ca_handler.py I added 'kerberos' as auth_method:
if 'auth_method' in config_dic['CAhandler'] and config_dic['CAhandler']['auth_method'] in ['basic', 'ntlm', 'gssapi','kerberos']:

Then I modified the requirements.txt and the dockerfile (nginx/wsgi) by adding the required libaries and build a new docker image in order to test the certificate issueing and it worked.

It is not really clear to me why the gssapi method is not working.
I even could not make this work:

kinit <username>
curl --negotiate -u: <user>:<password> -k https://<host>/certsrv/

Step kinit works. I'm getting a valid ticket when doing a klist.
When doing the curl request I'm getting a 401 status code.

[grindsa]

Can you describe your deployment (containerized, rpm, deb or manual installation).

Can you share your acme_srv.cfg as well as the related krb5.cfg? Can you please enable debugging in acme_srv.cfg replicate the issue in a2c and share the log for troubleshooting? Feel free to share the information via email to grindelsack(at)gmail.com