websspi

package module

v1.0.2 Latest Latest Go to latest Published: Jan 4, 2021 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sorokinmax/websspi

Links

Open Source Insights

README ¶

websspi

websspi is an HTTP middleware for Golang that uses Kerberos/NTLM for single sign-on (SSO) authentication of browser based clients in a Windows environment.

It performs authentication of HTTP requests without the need to create or use keytab files.

The middleware implements the scheme defined by RFC4559 (SPNEGO-based HTTP Authentication in Microsoft Windows) to exchange security tokens via HTTP headers and uses SSPI (Security Support Provider Interface) to authenticate HTTP requests.

How to use

The examples directory contains a simple web server that demonstrates how to use the package. Before trying it, you need to prepare your environment:

Create a separate user account in active directory, under which the web server process will be running (eg. user under the domain.local domain)
Create a service principal name for the host with class HTTP:
- Start Command prompt or PowerShell as domain administrator
- Run the command below, replacing host.domain.local with the fully qualified domain name of the server where the web application will be running, and domain\user with the name of the account created in step 1.:
```
setspn -A HTTP/host.domain.local domain\user
```
Start the web server app under the account created in step 1.
If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (Internet Options -> Security -> Local intranet -> Sites)
Start Chrome, Edge or Internet Explorer and navigate to the URL of the web app (eg. http://host.domain.local:9000)
The web app should greet you with the name of your AD account without asking you to login. In case it doesn't, make sure that:
- You are not running the web browser on the same server where the web app is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If you do run the web browser at the same server SSPI package will fallback to NTLM protocol and Kerberos will not be used.
- There is only one HTTP/... SPN for the host
- The SPN contains only the hostname, without the port
- You have added the URL of the web app to the Local intranet zone
- The clocks of the server and client should not differ with more than 5 minutes
- Integrated Windows Authentication should be enabled in Internet Explorer (under Advanced settings)

Security requirements

SPNEGO over HTTP provides no facilities for protection of the authroization data contained in HTTP headers (the Authorization and WWW-Authenticate headers), which means that the web server MUST enforce use of HTTPS to provide confidentiality for the data in those headers!

Documentation ¶

Rendered for

Index ¶

func UTF16PtrToString(ptr *uint16, maxLen int) (s string)
type UserInfo

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func UTF16PtrToString ¶

func UTF16PtrToString(ptr *uint16, maxLen int) (s string)

UTF16PtrToString converts a pointer to a UTF16 string to a string

Types ¶

type UserInfo ¶

type UserInfo struct {
	Username string   // Name of user, usually in the form DOMAIN\User
	Groups   []string // The global groups the user is a member of
}

UserInfo represents an authenticated user.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
examples
secctx

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL