Linux to Windows WSMAN with Negotiate auth fails with Domain user

Question

Linux to Windows WSMAN with Negotiate auth fails with Domain user

gogbg opened this issue 3 years ago · comments

SUMMARY

I'm trying to do WSMAN session from Ubuntu 18.04 to Windows using SSL and it fails when Domain Account is being used. Where it works when local account is used.

LIBMI VERSION

PWSMan 2.2.0

OS / ENVIRONMENT

Setup:

Enabled WinRM on Windows Server 2019. Windows Server is joined to an Azure Active Directory Domain Services domain
Installed Powershell 7.1.3 on Ubunbtu 18.04 following official Microsoft article
Installed gss-ntlmssp on Ubuntu 18.04 to enable NTML authentication as per PowerShell/PowerShell-Docker#124
Install PSWSMAN

Commands executed on Ubuntu server:

$PSSessionParameters = @{
Authentication = 'Negotiate'
Credential = [pscredential]::new('user@domain.com', ('password' | ConvertTo-SecureString -AsPlainText))
UseSSL = $true
Port = 5986
ConfigurationName = 'PowerShell.7'
SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
}
New-PSSession -ComputerName 'host' @PSSessionParameters

Error received on Ubuntu: New-PSSession: [host] Connecting to remote server 10.0.104.201 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.
Error in Windows Server Security log:
Event 4625
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user@domain.com
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000035B
Sub Status: 0x0

Jordan Borean · Answer 1 · Tue Jun 08 2021 04:34:33 GMT+0800 (China Standard Time)

The status code 0xC000035B means STATUS_BAD_BINDINGS which would indicate there's some flawed logic in the channel binding token code.

I would be surprised if this logic is actually false though, it's tested quite extensively but I can't 100% rule out it's a problem there. A few things you can try/look into:

Run winrm get winrm/config/service/auth on the Windows target and see what the value of CbtHardeningLevel
- The shell must be run as admin to get the value
- None means the token isn't validated at all
- Relaxed means the token is validated if present and ignored if not
- Strict means the token is validated and fails if it is not
Enable omi logging and look for any messages that relate to _CreateChannelBindingToken
- You can enable logging with the details here https://github.com/jborean93/omi#troubleshooting
- There will be a lot of information here so looking for that text helps to understand if the CBT step failed or succeeded
- The logs might give you more information as to what subject the certificate is using, make sure it matches the host you are connecting to

Does the same account work when connecting from a Windows PowerShell client?

What's curious is that it's failing with the domain account and not the local one. Both types of accounts should use the same underlying code for the CBT stuff.

Georgi Slavov · Answer 2 · Tue Jun 08 2021 14:10:30 GMT+0800 (China Standard Time)

Thanks @jborean93 .

Here are the answers.

CbtHardeningLevel is set to Relaxed

PS C:\Users\User> winrm get winrm/config/service/auth
Auth
    Basic = true
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = true
    CbtHardeningLevel = Relaxed

Negotiate cannot be used with local accounts - the authentication fails
The same account work correctly from Windows Client
- I enabled NTLM auditing on Windows Server unfortunately not presenting any error. However when call is executed from Ubuntu - there is a Mechanism OID added.
- Windows Client call:

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 3136
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3E4
Calling process user identity: vm-gs-alt001$
Calling process domain identity: KPMGCNTEST
Mechanism OID: (NULL)

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Ubuntu client call:

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 3136
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3E4
Calling process user identity: vm-gs-alt001$
Calling process domain identity: KPMGCNTEST
Mechanism OID: 1.3.6.1.4.1.311.2.2.10

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

OMI logging
- _CreateChannelBindingToken looks ok - 2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _CreateChannelBindingToken - OK exit
- However I get an error after this:

2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Checking for full header...
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Full header has been received
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - check authorization
2021/06/08 05:55:00 [7336,7365] WARNING: null(0): EventId=30031 Priority=WARNING Base64Dec failed
2021/06/08 05:55:00 [7336,7365] ERROR: null(0): EventId=20146 Priority=ERROR HTTP: Client Authorization failed. gss:(null) mech:(null)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - ACCESS DENIED reslt = 0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45128 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_Post: 0x7f158c2341d0, msg(0x7f158c1d84d8:4:PostResultMsg:0)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45129 Priority=DEBUG MI_Result = MI_RESULT_ACCESS_DENIED

Full log below

2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45297 Priority=DEBUG MI_Client Application Initialize: application=0x7f158c20a8c0, internal-application=0x7f15b40010a0
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45283 Priority=DEBUG Enter Application_NewSession with application (0x7f158c20a8c0), protocol (null), destination(10.0.104.201), session (0x7f158c2339a8).
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45293 Priority=DEBUG Enter Session_Create with application (0x7f158c20a8c0), protocol (null), destination(10.0.104.201), session (0x7f158c2339a8).
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_ImpersonateClientInternal
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45303 Priority=DEBUG MI_Client Session Create: application=0x7f158c20a8c0, session=0x7f158c2339a8, internal-session=0x7f158c01c770
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RevertImpersonation
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45284 Priority=DEBUG Leave Application_NewSession with session (0x7f158c2339a8).
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45295 Priority=DEBUG Enter Session_AccessCheck - session (0x7f158c2339a8)
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15a17f6be0 from generic handle: 0x7f158c2339a8
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45296 Priority=DEBUG Leave Session_AccessCheck on session (0x7f158c2339a8) with for operation (create instance).
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_GetApplication
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15a17f6bf0 from generic handle: 0x7f158c2339a8
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_GetProtocolHandlerSession
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15a17f6bf0 from generic handle: 0x7f158c2339a8
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_ImpersonateClient
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_GetProtocolHandlerApplication
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15a17f6bf0 from generic handle: 0x7f158c2339a8
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RegisterOperation
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15a17f6be0 from generic handle: 0x7f158c2339a8
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45325 Priority=DEBUG MI_Client Operation Create Instance: session=0x7f158c2339a8, operation=0x7f158c2339c0, internal-operation=0x7f158c1c2eb0, namespace=<null>
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): _CreateConnectorSocket - Begin. host: 10.0.104.201, port: 5986, secure? 1
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): _CreateSocketAndConnect - Begin
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): _CreateSocketAndConnect - OK exit
2021/06/08 05:55:00 [7336,7355] INFO: null(0): EventId=40032 Priority=INFO Selector_AddHandler: selector=0x7f15a04217a8, handler=0x7f158c6d1fc0, name=HTTP_CLIENT
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): _CreateConnectorSocket - OK exit. socket: 131, secure: 1, timeout: 01:00.000
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45156 Priority=DEBUG (E)Protocol _RequestCallback: scheduling connect event on first read for ProtocolSocket 0x7f158c6d1fc0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45131 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_PostControl 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45132 Priority=DEBUG ==== InteractionProtocolHandler_Session_ConnectionEvents() PROTOCOLEVENT_CONNECT
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45148 Priority=DEBUG ProtocolSocket: Posting message for interaction [0x7f158c6ccdc8]<-0x7f158c229018
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45206 Priority=DEBUG Sending msg(0x7f158c6c9318:4109:CreateInstanceReq:2712) on own thread
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45146 Priority=DEBUG InteractionProtocolHandler_Session_Connect passed !
2021/06/08 05:55:00 [7336,7355] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RevertImpersonation
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): HttpClient_StartRequestV2 - SSL connect using socket 131 returned result: 1, errno: 0 (Success)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _CreateChannelBindingToken - OK exit
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _SessionMap_IsValid - SessionMap initialized.
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): HttpClient_StartRequest - Begin. verb: POST, URI: /wsman?PSVersion=7.1.3
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=50012 Priority=DEBUG HTTP: Loading gss api. (libgssapi_krb5.so.2)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=50011 Priority=DEBUG HTTP: Authorization Continue.
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _WriteHeader - Begin
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_Write - SSL_write using socket 131 returned 273 (< 0 for error) / 273 bytes written, errno: 0 (Success)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_Write - SSL socket successful write of 273 / 273 bytes
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _WriteHeader - _Sock_Write result: 0 (MI_RESULT_OK), socket: 131, sent: 273
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _WriteHeader - OK exit
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _WriteClientData - Begin
2021/06/08 05:55:00 [7336,7365] WARNING: null(0): _WriteClientData - Content is empty. Continuing
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_Read - SSL_Read returned: 554 (< 0 for error) / 16384 bytes read, errno: 0 (Success)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_read - Bytes read: 554
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Begin. _Sock_read result: 0 (MI_RESULT_OK), socket: 131, 554 / 16384 bytes read, reverse: 0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Received buffer: HTTP/1.1 401 
WWW-Authenticate: Negotiate <OBFUSCATED>==
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 08 Jun 2021 05:54:59 GMT
Content-Length: 0


2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Checking for full header...
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Full header has been received
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - check authorization
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=50013 Priority=DEBUG HTTP: Send Next Auth Reply.
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - not (yet) authorized. reslt = 1
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _RequestCallback - Called _RequestCallbackRead. 0 / 0 bytes read
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_Read - SSL_Read returned: 246 (< 0 for error) / 16384 bytes read, errno: 0 (Success)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _Sock_read - Bytes read: 246
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Begin. _Sock_read result: 0 (MI_RESULT_OK), socket: 131, 246 / 16384 bytes read, reverse: 0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Received buffer: HTTP/1.1 401 
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
WWW-Authenticate: Basic realm="WSMAN"
WWW-Authenticate: CredSSP
Date: Tue, 08 Jun 2021 05:54:59 GMT
Connection: close
Content-Length: 0

<OBFUSCATED>==
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Checking for full header...
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Full header has been received
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - check authorization
2021/06/08 05:55:00 [7336,7365] WARNING: null(0): EventId=30031 Priority=WARNING Base64Dec failed
2021/06/08 05:55:00 [7336,7365] ERROR: null(0): EventId=20146 Priority=ERROR HTTP: Client Authorization failed. gss:(null) mech:(null)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - ACCESS DENIED reslt = 0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45128 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_Post: 0x7f158c2341d0, msg(0x7f158c1d84d8:4:PostResultMsg:0)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45129 Priority=DEBUG MI_Result = MI_RESULT_ACCESS_DENIED
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45307 Priority=DEBUG MI_Client Operation Instance Result (async): session=0x7f158c2339a8, operation=0x7f158c2339c0, internal-operation=0x7f158c1c2eb0, resultCode=2, moreResults=FALSE
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_ImpersonateClient
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15937fd7e0 from generic handle: 0x7f158c2339c0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45295 Priority=DEBUG Enter Session_AccessCheck - session (0x7f158c1c2ee0)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15937fd790 from generic handle: 0x7f158c1c2ee0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45296 Priority=DEBUG Leave Session_AccessCheck on session (0x7f158c1c2ee0) with for operation (close operation).
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_ImpersonateClient
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15937fd788 from generic handle: 0x7f158c2339c0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45295 Priority=DEBUG Enter Session_AccessCheck - session (0x7f158c1c2ee0)
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f15937fd730 from generic handle: 0x7f158c1c2ee0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45296 Priority=DEBUG Leave Session_AccessCheck on session (0x7f158c1c2ee0) with for operation (cancel operation).
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45314 Priority=DEBUG MI_Client Operation Cancel: operation=0x7f158c2339c0, internal-operation=0x7f158c1c2eb0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_ImpersonateClient
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45140 Priority=DEBUG InteractionProtocolHandler_Operation_Cancel 0x7f158c2341d0 -- ignoring because we have already posted the final result
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RevertImpersonation
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45312 Priority=DEBUG MI_Client Operation Close: operation=0x7f158c2339c0, internal-operation=0x7f158c1c2eb0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45286 Priority=DEBUG Shutting down thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RevertImpersonation
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_RevertImpersonation
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45126 Priority=DEBUG InteractionProtocolHandler_Client_Ack_PostToInteraction 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45287 Priority=DEBUG Release thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45138 Priority=DEBUG InteractionProtocolHandler_Operation_Close 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45311 Priority=DEBUG MI_Client Operation Close: Complete session=0x7f158c2339a8, operation=0x7f158c2339c0, internal-operation=0x7f158c1c2eb0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_UnregisterOperation
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f1594337f50
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45151 Priority=DEBUG ProtocolSocket: Ack on interaction [0x7f158c6ccdc8]<-0x7f158c229018
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45134 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_Ack 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45152 Priority=DEBUG (E)ProtocolSocket: Close received (closed other: 0) on interaction [0x7f158c6ccdc8]<-0x7f158c229018
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45147 Priority=DEBUG ProtocolSocket: triggering timeout on 0x7f158c6ccd88
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45136 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_Close 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45153 Priority=DEBUG (E)ProtocolSocket: 0x7f158c6ccd88 _ProtocolSocket_Finish
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45137 Priority=DEBUG InteractionProtocolHandler_Operation_Strand_Finish 0x7f158c2341d0
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45145 Priority=DEBUG SessionCloseCompletion_Release 0x7f158c20af40 count is 1
2021/06/08 05:55:00 [7336,7365] ERROR: null(0): _RequestCallback - RequestCallbackRead failed
2021/06/08 05:55:00 [7336,7365] INFO: null(0): EventId=40033 Priority=INFO Selector_RemoveHandler: selector=0x7f15a04217a8, handler=0x7f158c6d1fc0, name=HTTP_CLIENT
2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): EventId=45355 Priority=DEBUG Sock_Close: sock (131)
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45298 Priority=DEBUG MI_Client Application Close: application=0x7f158c20a8c0, internal-application=0x7f15b40010a0
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45299 Priority=DEBUG MI_Client Application Close: Cancelling all operations on application=0x7f158c20a8c0, internal-application=0x7f15b40010a0, session=0x7f158c01c780
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45292 Priority=DEBUG Session called: Session_CancelAllOperations
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45289 Priority=DEBUG Increase refcount for thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45290 Priority=DEBUG Get correct thunk handle 0x7f158bffcd38 from generic handle: 0x7f158bffda60
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45288 Priority=DEBUG Decrease refcount without release thunk handle: 0x7f158c233d10
2021/06/08 05:55:00 [7336,7374] DEBUG: null(0): EventId=45300 Priority=DEBUG MI_Client Application Close: Waiting for all sessions to shutdown on application=0x7f158c20a8c0, internal-application=0x7f15b40010a0, number left=1

Jordan Borean · Answer 3 · Tue Jun 08 2021 16:32:36 GMT+0800 (China Standard Time)

Negotiate cannot be used with local accounts - the authentication fails

Negotiate usually means it tries Kerberos and falls back to NTLM if Kerberos is unavailable. Kerberos only works for domain accounts but NTLM should work for both. The only time NTLM won't work is if you have disabled the Negotiate option in the WSMan settings (you have not) or you have disabled NTLM in your environment.

I enabled NTLM auditing on Windows Server unfortunately not presenting any error. However when call is executed from Ubuntu - there is a Mechanism OID added.

The OID that's shared in the error log 1.3.6.1.4.1.311.2.2.10 is the OID registered for NTLM https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/e21c0b07-8662-41b7-8853-2b9184eab0db. The fact that the Windows account didn't have an OID might mean it's sending raw NTLM tokens across the wire and not ones wrapped in SPNEGO. This shouldn't make a difference though, I've never seen a case where Windows rejects the SPNEGO wrapped NTLM token but not the raw NTLM token.

However I get an error after this:

So based on the full log you've sent the client (omi) sends an auth token based on the line

2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Received buffer: HTTP/1.1 401
WWW-Authenticate: Negotiate ==

The response back does not contain the WWW-Authenticate token with the response token so the client determines that the server has rejected the auth token it sent and helpfully tries to tell the client what protocols it accepts.

2021/06/08 05:55:00 [7336,7365] DEBUG: null(0): _ReadHeader - Received buffer: HTTP/1.1 401
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
WWW-Authenticate: Basic realm="WSMAN"
WWW-Authenticate: CredSSP

The fact that the auth fails after the first token suspiciously indicates that it is using Kerberos and not NTLM as the channel binding tokens aren't sent until the 3rd token for NTLM. If you have Python installed on your host you can use my pyspnego module to helpfully decode these auth tokens to figure out what's in them. To so do run pip install pyspnego then run python -m spnego --token <base64 value>. For example here are the tokens you would expect on the first token for either Kerberos or NTLM (I addef --format yaml which requires the ruamel.yaml module, if omitted then json is used instead)

# Kerberos
# $ python -m spnego --format yaml --token YIIFlQYGKwYBBQUCoIIFiTCCBYWgGTAXBgkqhkiG9xIBAgIGCisGAQQBgjcCAgqiggVmBIIFYmCCBV4GCSqGSIb3EgECAgEAboIFTTCCBUmgAwIBBaEDAgEOogcDBQAgAAAAo4IEV2GCBFMwggRPoAMCAQWhDhsMRE9NQUlOLkxPQ0FMohcwFaADAgEDoQ4wDBsEaG9zdBsEZGMwMaOCBB0wggQZoAMCARKhAwIBBqKCBAsEggQHF5bDD8bdXBrlIu4x2uht9LojjmLR/mwKyI43aoPwzzlB7bEpVvGGlulCpHyyLZAoyFrgpciuAMbz5M88IKGXXRNWvvvRh6QFJOd7Ptn+aJX1hcXLHBOD8nLoRzrfy35mdMmNi7HGHjD37MkNhfzfumYoufaAZLaK09XfCvSgIDFpvg6calyoIEwSLp40nRjdZxc/nSNOgu8vy+0SI3dWol2A/eNQMZDEyRh37OeUl8d9w3VwjabBlVEnrn0pJHXLv0Qd8h2NMlS73s2WxbN/5pBAOihPBbqYEihyuPDJKH0Iv/ut02ILvk59OhMGam0nvvdCX6XWjIeUD4yzLf+mw8dKFrZNN9V0sr8irNw75aowNDxFu+HGYXmNHzdbHXJov+YeinsJkyqmrCfNTtcIXQX9VebPUH+IbxOUNdHbQXbOG5runjxqajT3djiuBqE35IgvyWejZFEVstjUHu8e+nwpPCFbQ8LE+e/QUGmD6zAE1U9X98UQiSBA1QeGGoblylnm5dCBQiZ16PbzESNJnGulTdTU058nXoTKsqb8z+6vpzX/FMxoI83QmfVCY1VdGZjFEAoQPTHcXCYINkSxtQmBY3NvJCaI13rfOSiP+GTFFLneQ/NYXGzSZV3lDexCyQpUU9sh70pkfXoclxEOUg3QDYqmpUkozAHzVI01TLAgruJouCn6I7SZaNLnmcFoKGPVVcut3M8GFF2JwwjaN1jx1cBouzf30uGWS5l2I8r/YI1cl/LIwsTwYg9BlZbcNLayO6ENvbwfbcbhuc02AXLOek1xa4fHXkxf66vX5qa4cdmsVPSSapgg8zqwkRGBcmMmtXD2djfqAWCh62lrSuILqhmt6LM6rgTw9BSNcusBAvi1AIa45c8q/dfv5oJfj4E0mcYmOsSRNU+ZbGvzUPiZGg8REV8u1xAdAb+HykTzc+4BhVpfDpuZK1opYEs9Rk0p+JAyvoKtwC6T4wIfy3Sv3EybQbvXEpza+TPin7UT4/IgeztJiTE06XpPfW6cAWxl4zFfYYM2mQzUedp0iefb/SwHwvB9Jkoq+2jplKFHpOB0zaXKyZpn3l4KRKB8m7i4d1lVI+qNNnZ5A0dV4Meb73rLsQRcEPcLXP3GTysfeF/H76zBXo+2boQwCitGY8G6Wz7CsoAXYDwMwAvgDej4KMEdH3k2XHexDrzqF72U4YO5N1+Z4plT9Vb7Mic9Y2FHAsedmt5XqH5rOay0SslX+seZw/8iJeyButBAOHtVvdBVspBOdr5Ae7SMQ8VMTOSCSqQKstSbLB+LHuZ5xjGk3cyJGRvVTfJ/D5aq3Puk0LbpOQCR3/9kHuY18FxnvB7bfxeWzdy02yHWmIX4wCDv32gbc4ukgdgwgdWgAwIBEqKBzQSByvKnTT2k0bVWFH3kjSXfAdrFbBkAOpqLqwhJVAdpBZDtX8iIzZVi9G8f/qCR+8AAbw+RwJTbOdhkDxxMmr7OklLr5jGFUggkE4uhibnTzG9QvYfWUQ+ghOirllNQzc31yDub48vxngddVkZoShD6Zkp7WdJUG9cQoGzf4xtjWQewXUevoQJetl2SX7AEShRkABFL97kt5xReoknEEeXLKraBxEXWNzm0LrtxZcPGn5ZMPVv5Dola9tsS8SlEJ3tFVlbvb4PVl8VTXJw=
MessageType: SPNEGO InitialContextToken
Data:
  thisMech: SPNEGO (1.3.6.1.5.5.2)
  innerContextToken:
    MessageType: SPNEGO NegTokenInit
    Data:
      mechTypes:
      - Kerberos (1.2.840.113554.1.2.2)
      - NTLM (1.3.6.1.4.1.311.2.2.10)
      reqFlags:
      mechToken:
        MessageType: SPNEGO InitialContextToken
        Data:
          thisMech: Kerberos (1.2.840.113554.1.2.2)
          innerContextToken:
            MessageType: AP-REQ (14)
            Data:
              pvno: 5
              msg-type: AP-REQ (14)
              ap-options:
                raw: 32
                flags:
                - mutual-required (32)
              ticket:
                tkt-vno: 5
                realm: DOMAIN.LOCAL
                sname:
                  name-type: NT-SRV-HST (3)
                  name-string:
                  - host
                  - dc01
                enc-part:
                  etype: AES256_CTS_HMAC_SHA1_96 (18)
                  kvno: 6
                  cipher: long hex value
              authenticator:
                etype: AES256_CTS_HMAC_SHA1_96 (18)
                kvno:
                cipher: long hex value
            RawData: long hex value
        RawData: long hex value
      mechListMIC:
    RawData: long hex value
RawData: long hex value


# NTLM
# $ python -m spnego --format yaml --token YEAGBisGAQUFAqA2MDSgDjAMBgorBgEEAYI3AgIKoiIEIE5UTE1TU1AAAQAAADeCCOAAAAAAAAAAAAAAAAAAAAAA
MessageType: SPNEGO InitialContextToken
Data:
  thisMech: SPNEGO (1.3.6.1.5.5.2)
  innerContextToken:
    MessageType: SPNEGO NegTokenInit
    Data:
      mechTypes:
      - NTLM (1.3.6.1.4.1.311.2.2.10)
      reqFlags:
      mechToken:
        MessageType: NEGOTIATE_MESSAGE (1)
        Data:
          NegotiateFlags:
            raw: 3758654007
            flags:
            - NTLMSSP_NEGOTIATE_56 (2147483648)
            - NTLMSSP_NEGOTIATE_KEY_EXCH (1073741824)
            - NTLMSSP_NEGOTIATE_128 (536870912)
            - NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (524288)
            - NTLMSSP_NEGOTIATE_ALWAYS_SIGN (32768)
            - NTLMSSP_NEGOTIATE_NTLM (512)
            - NTLMSSP_NEGOTIATE_SEAL (32)
            - NTLMSSP_NEGOTIATE_SIGN (16)
            - NTLMSSP_REQUEST_TARGET (4)
            - NTLMSSP_NEGOTIATE_OEM (2)
            - NTLMSSP_NEGOTIATE_UNICODE (1)
          DomainNameFields:
            Len: 0
            MaxLen: 0
            BufferOffset: 0
          WorkstationFields:
            Len: 0
            MaxLen: 0
            BufferOffset: 0
          Version:
          Payload:
            DomainName:
            Workstation:
        RawData: 4E544C4D5353500001000000378208E000000000000000000000000000000000
      mechListMIC:
    RawData: A0363034A00E300C060A2B06010401823702020AA22204204E544C4D5353500001000000378208E000000000000000000000000000000000
RawData: 604006062B0601050502A0363034A00E300C060A2B06010401823702020AA22204204E544C4D5353500001000000378208E000000000000000000000000000000000

If you can run that command on the obfuscated base64 value the client is sending off that would help immensely to track down what may be happening.

Georgi Slavov · Answer 4 · Tue Jun 08 2021 20:56:21 GMT+0800 (China Standard Time)

From the log I see two headers:

Header 1 - Decodes successfully

{
  "MessageType": "SPNEGO NegTokenResp",
  "Data": {
    "negState": "accept-incomplete (1)",
    "supportedMech": "NTLM (1.3.6.1.4.1.311.2.2.10)",
    "responseToken": {
      "MessageType": "CHALLENGE_MESSAGE (2)",
      "Data": {
        "TargetNameFields": {
          "Len": 20,
          "MaxLen": 20,
          "BufferOffset": 56
        },
        "NegotiateFlags": {
          "raw": 2726920725,
          "flags": [
            "NTLMSSP_NEGOTIATE_56 (2147483648)",
            "NTLMSSP_NEGOTIATE_128 (536870912)",
            "NTLMSSP_NEGOTIATE_VERSION (33554432)",
            "NTLMSSP_NEGOTIATE_TARGET_INFO (8388608)",
            "NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (524288)",
            "NTLMSSP_TARGET_TYPE_DOMAIN (65536)",
            "NTLMSSP_NEGOTIATE_ALWAYS_SIGN (32768)",
            "NTLMSSP_NEGOTIATE_NTLM (512)",
            "NTLMSSP_NEGOTIATE_SIGN (16)",
            "NTLMSSP_REQUEST_TARGET (4)",
            "NTLMSSP_NEGOTIATE_UNICODE (1)"
          ]
        },
        "ServerChallenge": "96A44DD62421E27E",
        "Reserved": "0000000000000000",
        "TargetInfoFields": {
          "Len": 202,
          "MaxLen": 202,
          "BufferOffset": 76
        },
        "Version": {
          "Major": 10,
          "Minor": 0,
          "Build": 17763,
          "Reserved": "000000",
          "NTLMRevision": 15
        },
        "Payload": {
          "TargetName": "DOMAINOBFUSCATED",
          "TargetInfo": [
            {
              "AvId": "MSV_AV_NB_DOMAIN_NAME (2)",
              "Value": "DOMAINOBFUSCATED"
            },
            {
              "AvId": "MSV_AV_NB_COMPUTER_NAME (1)",
              "Value": "vm-gs-alt001"
            },
            {
              "AvId": "MSV_AV_DNS_DOMAIN_NAME (4)",
              "Value": "DOMAINOBFUSCATED.local"
            },
            {
              "AvId": "MSV_AV_DNS_COMPUTER_NAME (3)",
              "Value": "vm-gs-alt001.DOMAINOBFUSCATED.local"
            },
            {
              "AvId": "MSV_AV_DNS_TREE_NAME (5)",
              "Value": "DOMAINOBFUSCATED.local"
            },
            {
              "AvId": "MSV_AV_TIMESTAMP (7)",
              "Value": "2021-06-08T12:38:48.4885022Z"
            },
            {
              "AvId": "MSV_AV_EOL (0)",
              "Value": null
            }
          ]
        }
      },
      "RawData": "OBFUSCATED"
    },
    "mechListMIC": null
  },
  "RawData": "OBFUSCATED"
}

Header 2 - Pretty much confirms the warning that base64 cannot be decoded

{
  "MessageType": "Unknown - Failed to parse see Data for more details.",
  "Data": "Failed to parse token: Expecting a tag number of 0 not 1 for InitialContextToken",
  "RawData": "4162414230414441414D4141784141514149414272414841416251426E41474D41626742304147554163774230414334416241427641474D415951427341414D414F674232414730414C51426E41484D414C5142684147774164414177414441414D51417541477341634142744147634159774275414851415A51427A414851414C6742734147384159774268414777414251416741477341634142744147634159774275414851415A51427A414851414C67427341473841597742684147774142774149414234476B6A706A584E63424141414141413D3D"
}

Georgi Slavov · Answer 5 · Tue Jun 08 2021 21:26:56 GMT+0800 (China Standard Time)

And a small update - removed LmCompatibilityLevel registry key from Windows Server 2019 and also disabled Kerberos in WSMan configuration.
Header 2 now reports Failed to parse token: Expecting a tag number of 0 not 20 for InitialContextToken

Georgi Slavov · Answer 6 · Tue Jun 08 2021 22:23:35 GMT+0800 (China Standard Time)

And one last update - here is Authenticate_Message.
The only thing which I see (I am not an expert) is "SessionKey": "Failed to derive"

{
  "MessageType": "SPNEGO NegTokenResp",
  "Data": {
    "negState": "accept-incomplete (1)",
    "supportedMech": null,
    "responseToken": {
      "MessageType": "AUTHENTICATE_MESSAGE (3)",
      "Data": {
        "LmChallengeResponseFields": {
          "Len": 0,
          "MaxLen": 0,
          "BufferOffset": 88
        },
        "NtChallengeResponseFields": {
          "Len": 306,
          "MaxLen": 306,
          "BufferOffset": 88
        },
        "DomainNameFields": {
          "Len": 0,
          "MaxLen": 0,
          "BufferOffset": 0
        },
        "UserNameFields": {
          "Len": 90,
          "MaxLen": 90,
          "BufferOffset": 394
        },
        "WorkstationFields": {
          "Len": 22,
          "MaxLen": 22,
          "BufferOffset": 484
        },
        "EncryptedRandomSessionKeyFields": {
          "Len": 16,
          "MaxLen": 16,
          "BufferOffset": 506
        },
        "NegotiateFlags": {
          "raw": 2726920725,
          "flags": [
            "NTLMSSP_NEGOTIATE_56 (2147483648)",
            "NTLMSSP_NEGOTIATE_128 (536870912)",
            "NTLMSSP_NEGOTIATE_VERSION (33554432)",
            "NTLMSSP_NEGOTIATE_TARGET_INFO (8388608)",
            "NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY (524288)",
            "NTLMSSP_TARGET_TYPE_DOMAIN (65536)",
            "NTLMSSP_NEGOTIATE_ALWAYS_SIGN (32768)",
            "NTLMSSP_NEGOTIATE_NTLM (512)",
            "NTLMSSP_NEGOTIATE_SIGN (16)",
            "NTLMSSP_REQUEST_TARGET (4)",
            "NTLMSSP_NEGOTIATE_UNICODE (1)"
          ]
        },
        "Version": {
          "Major": 6,
          "Minor": 2,
          "Build": 0,
          "Reserved": "000000",
          "NTLMRevision": 15
        },
        "MIC": "7B395F470EEDE49E964697BC5810F3BC",
        "Payload": {
          "LmChallengeResponse": null,
          "NtChallengeResponse": {
            "ResponseType": "NTLMv2",
            "NTProofStr": "E889CB80D7122507E1C0567BDDE734C3",
            "ClientChallenge": {
              "RespType": 1,
              "HiRespType": 1,
              "Reserved1": 0,
              "Reserved2": 0,
              "TimeStamp": "2021-06-08T13:23:52.7863253Z",
              "ChallengeFromClient": "CBFE230C6E2BE409",
              "Reserved3": 0,
              "AvPairs": [
                {
                  "AvId": "MSV_AV_NB_COMPUTER_NAME (1)",
                  "Value": "vm-gs-alt001"
                },
                {
                  "AvId": "MSV_AV_NB_DOMAIN_NAME (2)",
                  "Value": "DOMAINOBFUSCATED"
                },
                {
                  "AvId": "MSV_AV_DNS_COMPUTER_NAME (3)",
                  "Value": "vm-gs-alt001.DOMAINOBFUSCATED.local"
                },
                {
                  "AvId": "MSV_AV_DNS_DOMAIN_NAME (4)",
                  "Value": "DOMAINOBFUSCATED.local"
                },
                {
                  "AvId": "MSV_AV_DNS_TREE_NAME (5)",
                  "Value": "DOMAINOBFUSCATED.local"
                },
                {
                  "AvId": "MSV_AV_FLAGS (6)",
                  "Value": {
                    "raw": 2,
                    "flags": [
                      "MIC_PROVIDED (2)"
                    ]
                  }
                },
                {
                  "AvId": "MSV_AV_TIMESTAMP (7)",
                  "Value": "2021-06-08T13:23:52.7863253Z"
                },
                {
                  "AvId": "MSV_AV_TARGET_NAME (9)",
                  "Value": "10.0.104.201"
                },
                {
                  "AvId": "MSV_AV_CHANNEL_BINDINGS (10)",
                  "Value": "00000000000000000000000000000000"
                },
                {
                  "AvId": "MSV_AV_EOL (0)",
                  "Value": null
                }
              ],
              "Reserved4": 0
            }
          },
          "DomainName": null,
          "UserName": "Test.Client@DOMAINOBFUSCATED.onmicrosoft.com",
          "Workstation": "UBUNTU-2004",
          "EncryptedRandomSessionKey": "00000000000000000000000000000000"
        },
        "SessionKey": "Failed to derive"
      },
      "RawData": "OBFUSCATED"
    },
    "mechListMIC": "01000000B8F40AD8648CCF8D00000000"
  },
  "RawData": "OBFUSCATED"
}

Georgi Slavov · Answer 7 · Tue Jun 08 2021 22:31:34 GMT+0800 (China Standard Time)

hmmm looks like setting CbtHardeningLevel to 'None' fixed the issue. I will test more tomorrow and let you know.

Georgi Slavov · Answer 8 · Tue Jun 08 2021 22:43:20 GMT+0800 (China Standard Time)

Confirmed - tested against other VMs - everything works. It even works with the standard libraries which comes from Ubuntu 18.04.
@jborean93 thanks a lot for your effort and great blog articles!!!

Jordan Borean · Answer 9 · Wed Jun 09 2021 03:08:14 GMT+0800 (China Standard Time)

Thanks for the excellent information. There are technically 2 bugs at play here:

GSSAPI is not passing through the channel bindings that it was called with
- This is a known issue that I've documented https://github.com/jborean93/pyspnego/blob/main/docs/gssapi_issues.md#channel-bindings-on-mit-negotiate
- Because of this problem the omi library is passing along the CBT but it isn't reaching gss-ntlmssp
- This has been fixed in MIT krb5 with krb5/krb5@d16325a
- Upgrading to a distro that ships with MIT krb5 >=1.19.0 will solve this problem as now gss-ntlmssp has the proper bindings to embed in the token
- Fixing this bug is really the true fix so that it starts working when CbtHardeningLevel = Strict
gss-ntlmssp is not sending the correct bindings value if it isn't supplied the CBT
- gssapi/gss-ntlmssp#25
- Because of the first issue above gss-ntlmssp is passed an empty CBT struct and it includes that null'd out AvPair causing problems on Windows
- This has also been fixed and is included in the gss-ntlmssp >= 1.0.0 package so upgrading to that will also work (probably not available on many older distros)
- Fixing this bug alone will solve the problem with CbtHardningLevel = Relaxed but the Strict setting still requires the above

So the workaround as you've found out is to set the CbtHardeningLevel to None so Windows doesn't try to validate the value at all. The proper fix so omi works with both Relaxed and Strict is already done it will just take time for it to filter down to the various distro packages. Unfortunately Ubuntu at this time does not have a release that ships with MIT krb5 >= 1.19.0 or gss-ntlmssp >= 1.0.0, maybe the next version will include krb5 >= 1.19.0. Other distros like Fedora do so if you can change I probably would recommend that.