go-mssqldb kerberos SSO support

Would be great if we can integrate SSO with https://github.com/jcmturner/gokrb5. I can contribute if you give me some guidelines on the authentication protocol. This would be a great feature.

May 31 '18 00:05 keith6014

Main point will be to put the capability in another package that can be optionally imported and registered.

Otherwise for auth protocol you can lookup on the mdn docs the TDS protocol and correct authentication portion.

May 31 '18 00:05 kardianos

Thanks for the prompt reply!

I noticed we have NTLM support now but only for windows. Majority of my userbase is on Linux and Solaris.

So, I was trying to find a way for authentication.

How hard would it be to do a Generic kerberos client ?

Also why a separate package? Would be great if it was all in a single package. Is it because of supporting / testing? I can understand that.

If you give me some guide lines I can write up a wiki page for you on how I did kerberos for *Nix and MSSQL server :-)

May 31 '18 00:05 keith6014

I don't know how hard, but if you want to just look for the current NTLM hooks and try to sub in another client, that sounds great to me.

May 31 '18 00:05 kardianos

I am looking for the NTLM hooks. But couldn't really find anything. I am guessing, I need to wrap this call, OpenConnector?

Any guidance would be helpful.

May 31 '18 01:05 keith6014

any ideas? any guidance would be helpful.

Jun 01 '18 00:06 keith6014

MSSQL does support Kerberos authentication, you should look into SPNEGO authentication: https://msdn.microsoft.com/en-us/library/dd340959.aspx

Jun 01 '18 01:06 denisenkom

I know it supports it because we are using it in Java.

I was thinking, instead of sending Login Header, I send SPNEGO negotiation packet which I am able to create. I am creating the packet from gokrb5 so it will be OS agnostic.

I see your login header is being created by this spec, login7 -- https://msdn.microsoft.com/en-us/library/dd304019.aspx

questions

Would I still need to use Login7, it seems its a generic interface for authentication or do I use something completely different?
Presumably, I still use Login7 where would I stuff SPNEGO negotation in the header. Would I use FEATUREEXTACK (https://msdn.microsoft.com/en-us/library/jj906481.aspx)? Does that sound right?

Jun 01 '18 10:06 keith6014

any ideas?

Jun 24 '18 10:06 keith6014

You would need to send Login7 request and then do SPNEGO handshake. To enable SPNEGO you should set SSPI fields in Login7 structure (search for SSPI on this page: https://msdn.microsoft.com/en-us/library/dd304019.aspx). Format for SSPI packet is described here: https://msdn.microsoft.com/en-us/library/dd303223.aspx. SSPI allows you to do Kerberos or NTLM authentication. For NTLM authentication I have an implementation in Python which can provide some clues on how to implement Kerberos. SSPI packet parser and generator is implemented here: https://github.com/denisenkom/pytds/blob/master/src/pytds/login.py#L93. In here https://github.com/denisenkom/pytds/blob/master/src/pytds/tds.py#L1384 it is injected into LOGIN7 packet. And here subsequent packets are processed: https://github.com/denisenkom/pytds/blob/master/src/pytds/tds.py#L813

For your second question, no, I don't think FEATUREEXTACK is needed for Kerberos authentication.

Jun 24 '18 22:06 denisenkom

due to time restrictions, i can't work on it at the moment. but thanks for the help. i will work with the gokrb5 author to get a native implementation so we don't need a seperate NTLM auth scheme.

Jul 17 '18 01:07 keith6014

seems this is a tough request. gokrb5 authors and i are confused on how to implement this. maybe this should be tagged as a feature request and have someone internally look thru this?

Jul 20 '18 02:07 keith6014

hey @denisenkom

Is this something you can help me with? I am avaliable for testing but I am afraid I am not that good with go to implement the details you suggested.

Aug 07 '18 11:08 keith6014

Hi, yes, I will let you know when I would have something ready for testing.

Aug 10 '18 00:08 denisenkom

To start I would need example packets that are being exchanged when Kerberos authentication is used. You can provide that data using Wireshark when you use Java version of TDS driver. That would help me in determining how to package Kerberos packages properly.

Aug 10 '18 01:08 denisenkom

The java driver for sql server implements kerberos there: https://github.com/Microsoft/mssql-jdbc/blob/dev/src/main/java/com/microsoft/sqlserver/jdbc/KerbAuthentication.java

Aug 11 '18 09:08 thda

i recently left the company I was working on this stuff. The author of gokrb5 (https://github.com/jcmturner/gokrb5) is a great resource. That person is willing to help. https://github.com/jcmturner/gokrb5/issues/125

I will be on travel for the next few weeks. If someone is able to help in the meantime, please don't be shy

Aug 11 '18 11:08 keith6014

@denisenkom any thoughts from @jcmturner comments? https://github.com/jcmturner/gokrb5/issues/125

Sep 29 '18 01:09 keith6014

I've added Kerberos support to pytds recently: https://github.com/denisenkom/pytds/pull/103/files So if somebody wants to add it into go-mssqldb driver and have means to test it, then that would be a good starting point.

Sep 30 '18 17:09 denisenkom

i can test it, just not sure i can add it :-)

Oct 22 '18 00:10 keith6014

Any word on this feature?

May 14 '19 15:05 keith6014

Any updates or ETAs on Kerberos support for go-mssqldb?