Skip to content
This repository was archived by the owner on Dec 8, 2021. It is now read-only.
This repository was archived by the owner on Dec 8, 2021. It is now read-only.

Kerberos configuration for -Auth Negociate #202

Closed
Closed
Kerberos configuration for -Auth Negociate#202
@eladent

Description

@eladent
eladent
opened on Oct 30, 2019

Polaris Bug Report

Description of the bug

When using start Polaris with "-Auth Negociate", Authentication always uses NTLM and it seems there's no working configuration for Kerberos.

Steps to reproduce

in an AD domain.

Considering this old thread Polaris should be running under "SYSTEM" or "Network Service" so it can gain machine credential. So run the script with psexec, taskscheduler or nssm with one of these account.

You aslo need to set an HTTP SPN for the server :
setspn.exe -S HTTP/<your.server.fq.dn>:8000 Server_machine_account

Note : As testing purpose I also tried running Polaris with a useraccount on which I set SPN for the serveur, no success.

Here's a code sample :

New-PolarisRoute -Method GET -Path '/whoami' -ScriptBlock {
	$Response.Send(($Request.User.identity | ConvertTo-Json))
}
Start-Polaris -hostname "<your.server.fq.dn>" -Port 8000 -Verbose -Auth Negotiate

And send a request with
`Invoke-RestMethod -UseDefaultCredentials -Uri http://<your.server.fq.dn>:8000/whoami

In the server answer "AuthenticationType" is stuck on NTLM on every configuration i tried...

Expected behavior

Auth should use Kerberos in this kind of setup.

Additional context

Version Information

Polaris 0.2.0
powershell
$Version= 5.1.14409.1018

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions