Enforcing Kerberos only (using PackageNames.Kerberos)
valorl opened this issue · comments
I am trying to use PackageNames.Kerberos
instead of PackageNames.Negotiate
in order to only accept Kerberos authentication.
Ideally, I'd like to do this in a client-agnostic way, where I still return WWW-Authenticate: Negotiate
and then I parse the Negotiate <token>
header and pass it to AcceptToken
, but with PackageNames.Kerberos
.
I tried exactly that, but I'm getting Failed to call AcceptSecurityContext. Error Code = '0x80090300' - \"Not enough memory.\"."
Could I get a clarification of the exact use-case for PackageNames.Kerberos
and whether what I'm trying to do is supposed to fail by design ? Thanks in advance :)
What you're trying to do doesn't make sense. You can't take a token generated by a client-side Negotiate package and feed it to the server-side Kerberos package. It broke because you misrepresented the content of the token.
A negotiate token has to be fed to the negotiate package; a kerberos token has to be fed to the kerberos package. They're not the same protocol, and the contents of their tokens are completely different. You can't transform a negotiate token into a kerberos token. Once a client has given you a token, you have to deal with it as they've given it to you. The client did everything correct - you said you support negotiate (since you say WWW-Authenticate: Negotiate
), so they sent you a negotiate token. You broke your side of the deal by trying to treat a negotiate token as a kerberos token. Don't do that.