sspi-rs icon indicating copy to clipboard operation
sspi-rs copied to clipboard
verified publisher icon Devolutions

Null Identity on AcquireCredentialsHandle results in error

Open pauldumais opened this issue 1 year ago • 2 comments

If I pass a null identity to AcquireCredentialsHandle I get an error, which is different than what happens in the windows sspi.

AcquireCredentialsHandle failed (One or more of the parameters passed to the function was invalid., Win32ErrorCode -2146892963 - 0x8009035D)

If we pass an identity to the AcquireCredentialsHandle, but pass an empty string to the username then we get thsi error later in the process:

InitializeSecurityContext failed (The token supplied to the function is invalid, Win32ErrorCode -2146893048 - 0x80090308)

pauldumais avatar Mar 04 '24 16:03 pauldumais

I could not reproduce this error on Windows, this is the code I use to try reproducing, did I miss something?

fn main() {
    let username = "".to_string(); // username@domain
    let password = "password".to_string(); // "password

    let kerberos_config = KerberosConfig::new("kdc_url", "hostname".to_string());
    let mut negitiate = Negotiate::new(
        NegotiateConfig::from_protocol_config(Box::new(kerberos_config.clone()), "client".to_string())
    ).unwrap();
    let _ = get_cred_handle(&mut negitiate, username, password);
}

pub(crate) fn get_cred_handle<T>(
    sspi: &mut T,
    username: String,
    password: String,
) -> AcquireCredentialsHandleResult<Option<CredentialsBuffers>>
where
    T: SspiImpl<CredentialsHandle = Option<CredentialsBuffers>> + Sspi,
    <T as SspiImpl>::AuthenticationData: From<sspi::AuthIdentity>,
{
    let identity = sspi::AuthIdentity {
        username: Username::parse(&username).expect("username is not in the correct format"),
        password: password.into(),
    };
    let acq_creds_handle_result = sspi
        .acquire_credentials_handle()
        .with_credential_use(sspi::CredentialUse::Outbound)
        .with_auth_data(&dbg!(identity).into())
        .execute()
        .expect("AcquireCredentialsHandle resulted in error");

    acq_creds_handle_result
}

irvingoujAtDevolution avatar Mar 04 '24 17:03 irvingoujAtDevolution

I could not reproduce this error on Windows, this is the code I use to try reproducing, did I miss something?

The key to the first error is to pass a null identity to AcquireCredentialsHandle. Also passing an empty string username results in another exception during InitializeSecurityContext, which differs from the Windows SSPI.

pauldumais avatar Mar 05 '24 21:03 pauldumais

Closing as discussed in https://github.com/Devolutions/sspi-rs/pull/304#discussion_r1793546562

CBenoit avatar Oct 15 '24 04:10 CBenoit