Authentication on Windows NT Server w/IIS 5

I changed the authentication files on my production server
(running CF 4.5) to add in some new session variables. I did this
using Dreamweaver 8, using my personal account that automatically
logs me into the server (with administrator rights). In doing this
I probably made the files writeable (I don't remember if they were
read-only to start). However, people starting calling in and saying
they couldn't log into that server anymore, so I copied over the
altered files with copies of the original ones from the duplicate
server, people still couldn't log in. I copied over the files with
the original files from the backup server, still couldn't log in. I
changed the files to read-only through the actualy Administrator
account, not my personal one. Still no go. We then copied over the
files from the backup tapes, that are apparently supopsed to save
the permissions settings. Still the same problem.
We can still get to the home page, so IIS is working, and we
can still get to non-authenticated CF files, so CF is working. When
trying to log in from the home page, after you input your username
and password and hit "login" it pops up an MS authentication window
and asks for your username and password for the server. So pretty
much, we figure something is wrong with the settings for that
particular server. We've checked to make sure that all the cfm and
html files can be read by anonymous users, and the settings seem to
be the same as those on the duplication server (which people can
still log into).
Has anyone had this happen before? Anyone know what settings
might be messed up? Do you think it made a difference that files
were edited w/my account and not Administrator?
Our last option is completely redoing the server from backup.
Does anyone have any better suggestions? Any help would be
appreciated. Please help if you can! Thanks!

Have you tried re-setting the 'File Security' in IIS Services
Manager?
I think 'Integrated Windows Authentication' should be checked
and 'Anonymous access' should be un-checked.
For all the other files, 'Anonymous access' should be
checked.
Good luck!

Similar Messages

Authentication with Windows 2003 server

Hi there,
I am looking for achieve this task. I would like to know How I could authenticate users accesing by my wireless network? I mean in windows 2003 server. They must type their username and password. I want to restricted users which are not on the list to access by my wireless network. I know that in windows 2000 I could use radius server. Could I use it here?.
Also, I guess that I have to allow these "new users" in AD.
I am looking forward to read helpfull information here and of course I will give it a rate (points)
Any ideas are welcome.
Thanks
Wladimir

Same thing for 2003, it is called IAS (Internet Authentication Service).
http://www.microsoft.com/technet/network/ias/default.mspx
Basically you will set up IAS with a RADIUS Client which would be your wireless access point(s). Then you will set up a remote access policy which will define how connections are authorized or rejected (windows groups, protocols etc.). Don't forget to register IAS with active directory.

Error while publishing Lightswitch application remotely from Windows 7 PC to Windows 2003 Server having IIS 6.0

I am trying to publish a LightSwitch 2012 application as Web Application from Windows 7 PC to Windows 2003 IIS server, .Net Framework 4.0
The publish Summary as follows
Application Name - User Test
Application Version - 1.0.6.0
Application Type : Browser
Application Server : IIS Server
Authentication : Windows Authentication
Database : Do not publish
Error details while publishing with the option "IIS server has lightswitch deployment prerequisites installed".
============================================================================
102 Web deployment task failed. (15/04/2014 16:24:51) An error occurred when the request was processed on the remote computer.)
(15/04/2014 16:24:51) An error occurred when the request was processed on the remote computer. The entry type 'unknown' was not expected at this time. The serialization stream may be corrupted.
When published without the option "IIS server has lightswitch deployment prerequisites installed".
the applications publishes successfully, But when the application is accessed from Browser it says authentication error.
I have searched a number of blogs with the same issue, but none have answered.
Any help will be highly appreciated.

I am once again facing the same issue when trying to publish remotely. But I have done nothing to the server after successful publishing as suggested below,
Not sure why the issue persists again (Could this be a firewall issue?) . Your help will be much appreciated.
[5952] MsDepSvc.exe Error: 0 :
[5952] Tracing deployment agent exception. Request ID '964acec1-797b-47c2-a4b6-3c872fc9b7ed'. Request Timestamp: '05/12/2014 09:45:31'. Error Details:
[5952] Microsoft.Web.Deployment.DeploymentException: The entry type 'Unknown' was not expected at this time. The serialization stream may be corrupted.
[5952] at Microsoft.Web.Deployment.PackageDeserializer.ReadChildren(Int32 parentId, Boolean bufferIfNeeded)
[5952] at Microsoft.Web.Deployment.SerializationProvider.<GetChildProviders>d__0.MoveNext()
[5952] at Microsoft.Web.Deployment.DeploymentObject.<GetChildrenWithoutAz>d__9.MoveNext()
[5952] at Microsoft.Web.Deployment.DeploymentObject.<GetChildren>d__0.MoveNext()
[5952] at Microsoft.Web.Deployment.DeploymentSyncEnumerable.<Create>d__0.MoveNext()
[5952] at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
[5952] at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildrenOrder(DeploymentObject dest, DeploymentObject source)
[5952] at Microsoft.Web.Deployment.DeploymentSyncContext.SyncChildren(DeploymentObject dest, DeploymentObject source)
[5952] at Microsoft.Web.Deployment.DeploymentSyncContext.ProcessSync(DeploymentObject destinationObject, DeploymentObject sourceObject)
[5952] at Microsoft.Web.Deployment.DeploymentObject.SyncToInternal(DeploymentObject destObject, DeploymentSyncOptions syncOptions, PayloadTable payloadTable, ContentRootTable contentRootTable)
[5952] at Microsoft.Web.Deployment.DeploymentAgent.HandleSync(DeploymentAgentWorkerRequest workerRequest)
[5952] at Microsoft.Web.Deployment.DeploymentAgent.HandleRequestWorker(DeploymentAgentAsyncData asyncData)
[5952] at Microsoft.Web.Deployment.DeploymentAgent.HandleRequest(DeploymentAgentAsyncData asyncData)
Finally, I Could able to resolve the issue. I have identified the below information for a successfull deployment
1. Light switch 2012 application can be published only with Web Deploy 1.1 (which will create Web Deployment Agent Service) in Windows Services list. I had an issue with multiple Web Deploy versions (Web Deploy 2.0, 3.0) which caused to fail the publishing
from Light Switch Development environment. Un-installed all the versions and installed only Web Deploy 1.1 and then published successfully
2. You should use Remote Publish from Light Switch 2012 Development PC as there is no option in IIS 6.0 to import the Package in IIS 6.0 with the packages files similar to the option available in IIS 7.0 and later.
3. You should be able to publish from Light Switch 2012 environment with the option "IIS server has lightswitch deployment prerequisites installed" checked. The application will publish with the option unchecked but it will not work.

Authentication with Windows NT Server

Hi guys!
Our customer has a domain with Windows Server 2003 and Windows Server NT, only users in the Windows Server 2003 appears when we create a access policy for authenticated users. This domains has a trust relationship, WSA supports Windows NT?
Regards,

You will need 2 authentication realms if your not going to use the AD authentication connector for NT 4.0. The firts authentication realm will be NTLM and connect to the NT4.0 PDC server. Next you will need an AD auth realm which will be configured using LDAP. If by chance you have a 2 way transitive trust and the AD connector installed on the NT 4.0 PDC server as well as configured to talk to the 2003 AD server then you could actully just use one authentication realm. To answer your question we do not have a tutorial on configuring NT 4.0 fro authentication as this technology is not supported by Microsoft as it is EOL.
Sincerely,
Erik Kaiser
Cisco WSA Forums Moderator

Cisco AAA authentication with windows radius server

Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
   Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
                ^
   % Invalid input detected at '^' marker.
   Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
   Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
   Current privilege level is 15
   Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.

I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

OS AUTHENTICATION on Windows 2000 Server

Hello,
Can anyone tell me the best way to create a user that
is OS authenticated? How and where to configure the server, database? How should Database server and
Client be installed as domain user or Local PC administrator?
I have tried everything under the sun and still get
invalid username/password errors and TNS errors.
Is there a document that best describes all the configuration issues?
PLEASE HELP IMMEDIATELY!!!

> I have requirement to upgrade os patches on SAP server to latest one.
This should be done regularly neverless
> Is there any note that will suggest the patches.
Use Windowsupdate.
> Please let us know what will be the implications with this patches.
Are you on 32bit?
Markus

Cannot connect to DI Server from IIS

Hi,
I have a working installation of IIS and DI server on my laptop (running XP SP1). On my laptop, I can make SOAP calls to the DI Server from .asp pages running on the IIS.
However, I installed the DI server on a Windows 2003 Server with IIS 6 and tried to use the same configurations. Now, I cannot get any connection to the DI Server. The DI Server log only displays information about the start and stop events (on my laptop, each SOAP request is recorded in the log). I examined the IIS log file and this is what I found:
2005-01-12 12:46:13 127.0.0.1 GET /default.htm - 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 200 0 0
2005-01-12 12:46:24 127.0.0.1 POST /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:21 10.169.32.4 OPTIONS / - 80 - 10.169.32.72 Microsoft-WebDAV-MiniRedir/5.1.2600 200 0 0
2005-01-12 12:47:21 10.169.32.4 PROPFIND /Data - 80 - 10.169.32.72 Microsoft-WebDAV-MiniRedir/5.1.2600 501 0 0
2005-01-12 12:47:21 10.169.32.4 PROPFIND /fijhsk00$ - 80 - 10.169.32.72 Microsoft-WebDAV-MiniRedir/5.1.2600 501 0 0
2005-01-12 12:47:50 127.0.0.1 POST /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:52 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:52 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:52 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:53 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:47:53 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:50:23 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:50:25 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:50:25 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
2005-01-12 12:50:26 127.0.0.1 GET /WebSAPManageSoap.asp |13|800a000d|Type_mismatch:_'Session' 80 - 127.0.0.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.2;.NETCLR+1.1.4322) 500 0 0
= = =
It seems obvious that something is wrong with WebSAPManageSoap.asp. However, the same file works fine on my laptop installation. Has anyone got experience or insights about this problem ?
Henry

Hello
I tried as Henry to do the same thing but I got a different error :
the log file of IIS is :
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2005-01-27 15:47:27
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2005-01-27 15:47:27 W3SVC1 SRV-DEV 192.168.2.120 POST /WebSAPManageSoap.asp - 80 - 62.39.108.237 HTTP/1.1 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.1.4322) - - 62.39.108.237 200 0 0 660 1571 3562
and the SOAP response is :
<?xml version="1.0" ?>
- <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
- <env:Body>
- <env:Fault>
- <env:Code>
<env:Value>env:Receiver</env:Value>
- <env:Subcode>
<env:Value>-114</env:Value>
</env:Subcode>
</env:Code>
- <env:Reason>
<env:Text xml:lang="en">No Server Defined</env:Text>
</env:Reason>
- <env:Detail>
<Command>Login</Command>
</env:Detail>
</env:Fault>
</env:Body>
</env:Envelope>
The SOAP request is :
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
    <Login xmlns="http://localhost/WebSAPManageSoap.asp">
      <DataBaseServer>localhost</DataBaseServer>
      <DataBaseName>SBODemo_US</DataBaseName>
      <DataBaseType>dst_MSSQL</DataBaseType>
      <DataBaseUserName>sa</DataBaseUserName>
      <DataBasePassword>123erty</DataBasePassword>
      <CompanyUserName>manager</CompanyUserName>
      <CompanyPassword>manager</CompanyPassword>
      <Language>ln_English</Language>
      <LicenseServer>srv-dev</LicenseServer>
    </Login>
</soap:Body>
</soap:Envelope>
On the same host I've installed DI SERVER, SBO and IIS and run the license server.
About this issue, I've created a message on the SAP Market place.
But if you have an idea...
Thanks
Jerome

ICal 2.0.2 wont publish to Windows 2000 Server

After upgrading to Tiger, I am no longer able to publish an iCal Calendar to a private server which works perfectly on 10.3.X / ical 1.5.5.
I'm running OS X 10.4.2 and iCal 2.0.2. I am trying to publish to a Windows 2000 server running IIS. When I attempt to publish, I see the dialog box which says, "Publishing <Calendar Name>"... The progress bar gets about 75% across and holds for a while. Finally, I get an error dialog which says, "Publish failed for calendar <calendar name>. -- Request to <hostname> failed after trying for 30 seconds."
Now, I KNOW the permissions are set correctly on the server for two reasons. 1.) I can get it to work from 10.3.9 with no problem at all. And 2.) Under Tiger, if I try to publish this calendar, and there's already a .ics file on the server with the same name, iCal deletes it! It certainly wouldn't be able to delete the file if there were a permissions issue.
So, iCal 2.0.2 does a GREAT job of deleting a calendar on the server, it just won't write a new one. I have even checked the Event viewer on the Windows 2000 server. I'm auditing successes and failures of all events and I see nothing to indicate that it's having a problem.
Thanks in advance for any help/suggestions.
-Chris

I'll reply to myself here...
WebDAV between ical 2.0.2 and Win2000 Server just does not work. This used to be a problem in earlier versions of iCal. That's where "FTP iCal" really came to the rescue.
They finally fixed it, but now it seems to be broken once again.
"FTP iCal" lives once again as "FTP iCal calendars." I guess I'll be using this little gem until Apple fixes iCal AGAIN. Here's the developer's site in case anyone else is interested.
http://www.ese.u-psud.fr/epc/conservation/FTP_iCal/index.html
-Chris

"Windows Authentication Mode" when SQL Server 200 and CF on different machines?

Hi All,
I am playing for two days with following problem. And still I
did not able to get rid of it.
I have installed SQL Server 2000 on machine which is my
server (windows 2003 server) and this machine is my domain
controller. I have user “ABC” user and I have added
this user in administrator group.
I have another machine where OS is Windows XP and CF 7 is
installed. I create an ODBC Connection from Administrative Tool to
my Database (windows 2003 server) successfully.
Now when I create Data Socket in Coldfusion Administrator and
when I select the my ODBC that I had created and when I Submit it
then CF admin throughs the following message.
Connection verification failed for data source: myTest
java.sql.SQLException: [Macromedia][SequeLink JDBC
Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL
Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Please Brother, I don’t have any Clue to solve it,
Please help.
One Important thing, All this working fine if my CF, and SQL
Server are on same machine.
Best regards,
Shahid

Hi Phil Thanks,
Finally i able to configure it out..... following are the
steps...
I assume domain controller is properly configure.
Following are the steps for the machine where SQL SERVER 2000
is installed
1- We need to create Login account for your domain account in
SQL Server 2000 using Enterprise Manager.
• Right Click -> New Login
• Click to load the domain users, select any user from
your domain that will connect to your SQL Server from LAN.
Following are the steps for the machine where ColdFusion and
IIS are installed.
Step No. 1
Stop ColdFusion MX.
Backup your existing macromedia_drivers.jar file.
Unzip macromedia_drivers.zip into the same directory,
overwriting the previous
macromedia_drivers.jar.
You can download “macromedia_drivers.zip” from
following URL
http://kb.adobe.com/support/coldfusion/ts/documents/1a3c2ad0/macromedia_drivers.zip
A new file, DDJDBCAuth03.dll, which is required for Windows
Authentication, is also included in the zip file replacing the
older DDJDBCAuth.DLL.
Restart ColdFusion MX.
ColdFusion MX loads the JDBC drivers inmacromedia_drivers.jar
in the directory cf_root/lib. For example, with ColdFusion MX 7
Server Configuration on Windows installed on drive C:, this would
beC:\CFusionMX7\lib\macromedia_drivers.jar.
Then restart Machine
Step No. 2
Configure all the ColdFusion Services to “Log On
As” using the Domain User Account configured in SQL Server in
the above mentioned step.
Change the “Log On As” similar for the all other
Cold fusion services (ColdFusion MX 7 ODBC Agent, ColdFusion MX 7
ODBC Server, ColdFusion MX 7 Search Server).
Step No. 3
Restart the services; for the safe side reboot the system.
Step No. 4
Create ODBC (Control Panel -> Administrative Tool ->
Data Sources (ODBC)) using the windows NT Authentication option to
connect to database.
Step No. 5
Create Data Socket and Select the created ODBC connection in
the Drop down (ColdFusion-> Admin)
Thanks to all who participated in this discussion...
With lots of Thanks to All particular to Phil who guided me
in right direction,
Shahid

Windows 2008 server OS authenticated user keeps failing

I have a new server that has windows 2008 server installed, 64-bit. I've installed oracle 11gR2 64-bit and have created my database. Now I need to create two oracle accounts that are OS authenticated and I can't seem to get this right. I've set os_authent_prefix in my spfile and I've created the user (example) OS$<domain>\<username> in the database. In Windows, the account name equals <username> and that account belongs to Administrators and ora_dba groups. I've tried creating the oracle user with <domain> in caps and lowercase, but both fail. On the server, the domain is all lower case.
So in SQL> create user "OS$my.domain.mil\user1" identified externally; (user created)
Grant connect to "OS$my.domain.mil\user1";
Log out of sqlplus, pull up command prompt in Windows 2008 server as 'user1' and type in "sqlplus /"
Invalid username or password.
What am I missing here? Any help appreciated.
SA feedback: "Finally, Windows Server 2008 R2 Operating System has a tighter security scheme than that of previous Windows OS.
Also, it would be helpful if I remove the AD domain controller role from this server. This may require reinstallation of this server (worst case). Let me know when I can do this so you can proceed with your configuration."
Edited by: wolfeet on Jun 21, 2011 5:02 PM

Hello Ricardo,
You may want to reference SAP Note 1054740 - SAP System Installation on Windows Server 2008
and ensure you are on SAP Netweaver 7.0 SR3 or above, and it will also tell you if the product you are installing is supported in Windows 2008 Server.
For database and SAP product combinations that are already
supported by SAP to run on Windows Server 2008, see the Product
Availability Matrix at: http://service.sap.com/pam
Also check the following: in Regedit.
SYSTEM\CurrentControlSet\Services\gpsvc
Right click on it and select "Permissions" in the context menu.
Provide "Full Control" for sidadm
Does the installation user has full administrative rights and belongs
to the group of LocalAdministrators and to Global Administrators also
when you are doing a domain installation ?
Please ensure the user <sid>adm has the access rights
to change the file system permission.
Regards,
Paul

Windows Authentication on SP 14 Server

Hi,
i want to achieve Windows Authentication on SP 14 Server.
which is the best way?
Thanks in advance
Regards,
Bobu

You can go for Kerberos Authentication. There are plenty of weblogs and forum discussions on this.
Windows Integrated Authentication via Kerberos on an LDAP data source
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b69f6f89-0a01-0010-1198-ba7fff95a2ec
Regards,
Piyush
ps: please award points if useful.

SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1

I am trying to use SChannel to secure a socket connection. I modified the example at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380537(v=vs.85).aspx, converting it from Negotiate to SChannel. Following the specs for the SSPI APIs I was able the get a Client & Server connection authenticated on Windows 7.
However, when I try running the same programs on Windows Server 2008 R2, either the Client side or Server side fails, depending on how I select the security protocol.
Here is the modified example code, details about my results follow the code.
Client.cpp
// Client-side program to establish an SSPI socket connection
// with a server and exchange messages.
// Define macros and constants.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "SspiExample.h"
#include <string>
#include <iostream>
CredHandle g_hCred;
SecHandle g_hCtext;
#define SSPI_CLIENT "SChannelClient:" __FUNCTION__
void main(int argc, char * argv[])
SOCKET Client_Socket;
BYTE Data[BIG_BUFF];
PCHAR pMessage;
WSADATA wsaData;
SECURITY_STATUS ss;
DWORD cbRead;
ULONG cbHeader;
ULONG cbMaxMessage;
ULONG cbTrailer;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
SecPkgContext_ConnectionInfo ConnectionInfo;
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName);
char Server[512] = {0};
WCHAR CertName[512] = {0};
// Validate cmd line parameters
if ( argc != 3 )
LOGA ( ( __log_buf, SSPI_CLIENT " required parameters ServerName & CertName not entered.\n"));
LOGA( ( __log_buf, SSPI_CLIENT " Abort and start over with required parameters.\n") );
std::cin.get();
else
// argv[1] - ServerName - the name of the computer running the server sample.
// argv[2] - TargetName the common name of the certificate provided
// by the target server program.
memcpy(Server, argv[1], strlen(argv[1]));
size_t sizCN;
mbstowcs_s(&sizCN, CertName, strlen(argv[2])+1, argv[2], _TRUNCATE);
LOGA ( ( __log_buf, SSPI_CLIENT " input parameters - ServerName %s CertName %ls.\n", Server, CertName ));
// Initialize the socket and the SSP security package.
if(WSAStartup (0x0101, &wsaData))
MyHandleError( __FUNCTION__ " Could not initialize winsock ");
// Connect to a server.
SecInvalidateHandle( &g_hCtext );
if (!ConnectAuthSocket (
&Client_Socket,
&g_hCred,
&g_hCtext,
Server,
CertName))
MyHandleError( __FUNCTION__ " Authenticated server connection ");
LOGA ( ( __log_buf, SSPI_CLIENT " connection authenticated.\n"));
// An authenticated session with a server has been established.
// Receive and manage a message from the server.
// First, find and display the name of the SSP,
// the transport protocol supported by the SSP,
// and the size of the header, maximum message, and
// trailer blocks for this SSP.
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT "QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " QueryContextAttributes failed.\n");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
cbHeader = SecPkgSizes.cbHeader;
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_CLIENT " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_CONNECTION_INFO,
&ConnectionInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
switch(ConnectionInfo.dwProtocol)
case SP_PROT_TLS1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: TLS1\n"));
break;
case SP_PROT_SSL3_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL3\n"));
break;
case SP_PROT_PCT1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: PCT\n"));
break;
case SP_PROT_SSL2_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL2\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Protocol: 0x%x\n", ConnectionInfo.dwProtocol));
switch(ConnectionInfo.aiCipher)
case CALG_RC4:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC4\n");)
break;
case CALG_3DES:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Triple DES\n"));
break;
case CALG_RC2:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC2\n"));
break;
case CALG_DES:
case CALG_CYLINK_MEK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: DES\n"));
break;
case CALG_SKIPJACK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Skipjack\n"));
break;
case CALG_AES_256:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: AES 256\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Cipher: 0x%x\n", ConnectionInfo.aiCipher));
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher strength: %d\n", ConnectionInfo.dwCipherStrength));
switch(ConnectionInfo.aiHash)
case CALG_MD5:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: MD5\n"));
break;
case CALG_SHA:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: SHA\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Hash: 0x%x\n", ConnectionInfo.aiHash));
LOGA ( ( __log_buf, SSPI_CLIENT " Hash strength: %d\n", ConnectionInfo.dwHashStrength));
switch(ConnectionInfo.aiExch)
case CALG_RSA_KEYX:
case CALG_RSA_SIGN:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: RSA\n"));
break;
case CALG_KEA_KEYX:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: KEA\n"));
break;
case CALG_DH_EPHEM:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: DH Ephemeral\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Key exchange: 0x%x\n", ConnectionInfo.aiExch));
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange strength: %d\n", ConnectionInfo.dwExchStrength));
// Decrypt and display the message from the server.
if (!ReceiveBytes(
Client_Socket,
Data,
BIG_BUFF,
&cbRead))
MyHandleError( __FUNCTION__ " No response from server\n");
if (0 == cbRead)
MyHandleError(__FUNCTION__ " Zero bytes received.\n");
pMessage = (PCHAR) DecryptThis(
Data,
&cbRead,
&g_hCtext);
// Skip the header to get the decrypted message
pMessage += cbHeader;
ULONG cbMessage = cbRead-cbHeader-cbTrailer;
if ((cbMessage == strlen(TEST_MSG)) &&
!strncmp(pMessage, TEST_MSG, strlen(TEST_MSG)) )
LOGA ( ( __log_buf, SSPI_CLIENT " SUCCESS!! The message from the server is \n -> %.*s \n",
cbMessage, pMessage ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " UNEXPECTED message from the server: \n -> %.*s \n",
cbMessage, pMessage ));
LOGA ( ( __log_buf, SSPI_CLIENT " rcvd msg size %u, exp size %u\n", cbMessage, strlen(TEST_MSG) ));
// Terminate socket and security package.
DeleteSecurityContext (&g_hCtext);
FreeCredentialHandle (&g_hCred);
shutdown (Client_Socket, 2);
closesocket (Client_Socket);
if (SOCKET_ERROR == WSACleanup ())
MyHandleError( __FUNCTION__ " Problem with socket cleanup ");
exit (EXIT_SUCCESS);
} // end main
// ConnectAuthSocket establishes an authenticated socket connection
// with a server and initializes needed security package resources.
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *g_hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName)
unsigned long ulAddress;
struct hostent *pHost;
SOCKADDR_IN sin;
// Lookup the server's address.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n"));
ulAddress = inet_addr (pServer);
if (INADDR_NONE == ulAddress)
LOGA ( ( __log_buf, SSPI_CLIENT " calling gethostbyname with %s.\n", pServer ));
pHost = gethostbyname (pServer);
if (NULL == pHost)
MyHandleError(__FUNCTION__ " Unable to resolve host name ");
memcpy((char FAR *)&ulAddress, pHost->h_addr, pHost->h_length);
std::string ipAddrStr;
ipAddrStr = inet_ntoa( *(struct in_addr*)*pHost->h_addr_list);
LOGA ( ( __log_buf, __FUNCTION__ " gethostbyname - ipAddress %s, name %s.\n", ipAddrStr.c_str(), pHost->h_name ) );
// Create the socket.
*s = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == *s)
MyHandleError(__FUNCTION__ " Unable to create socket");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Socket created.\n"));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ulAddress;
sin.sin_port = htons (g_usPort);
// Connect to the server.
if (connect (*s, (LPSOCKADDR) &sin, sizeof (sin)))
closesocket (*s);
MyHandleError( __FUNCTION__ " Connect failed ");
LOGA ( ( __log_buf, SSPI_CLIENT " Connection established.\n"));
// Authenticate the connection.
if (!DoAuthentication (*s, pCertName))
closesocket (*s);
MyHandleError( __FUNCTION__ " Authentication ");
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n"));
return(TRUE);
} // end ConnectAuthSocket
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName)
BOOL fDone = FALSE;
DWORD cbOut = 0;
DWORD cbIn = 0;
PBYTE pInBuf;
PBYTE pOutBuf;
if(!(pInBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
if(!(pOutBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " 1st message.\n"));
if (!GenClientContext (
NULL,
0,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext
LOGA ( ( __log_buf, SSPI_CLIENT " GenClientContext failed\n"));
return(FALSE);
if (!SendMsg (s, pOutBuf, cbOut ))
MyHandleError(__FUNCTION__ " Send message failed ");
while (!fDone)
if (!ReceiveMsg (
s,
pInBuf,
MAXMESSAGE,
&cbIn))
MyHandleError( __FUNCTION__ " Receive message failed ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " Message loop.\n"));
if (!GenClientContext (
pInBuf,
cbIn,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext))
MyHandleError( __FUNCTION__ " GenClientContext failed");
if (!SendMsg (
s,
pOutBuf,
cbOut))
MyHandleError( __FUNCTION__ " Send message failed");
LOGA ( ( __log_buf, SSPI_CLIENT " fDone %s.\n", fDone ? "Yes" : "No" ));
if (NULL != pInBuf)
free(pInBuf);
pInBuf = NULL;
if (NULL != pOutBuf)
free(pOutBuf);
pOutBuf = NULL;
LOGA ( ( __log_buf, SSPI_CLIENT " exit.\n"));
return(TRUE);
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *g_hCred,
struct _SecHandle *g_hCtext)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[2];
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
wcscpy_s(lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME );
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
g_hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
MyHandleError( __FUNCTION__ " AcquireCreds failed ");
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with pIn supplied.\n"));
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = InSecBuff;
InSecBuff[0].cbBuffer = cbIn;
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pIn;
InSecBuff[1].pvBuffer = NULL;
InSecBuff[1].cbBuffer = 0;
InSecBuff[1].BufferType = SECBUFFER_EMPTY;
ss = InitializeSecurityContext (
g_hCred,
g_hCtext,
pCertName,
MessageAttribute,
0,
0,
&InBuffDesc,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
else
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with NULL pIn.\n"));
ss = InitializeSecurityContext (
g_hCred,
NULL,
pCertName,
MessageAttribute,
0,
0,
NULL,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext failed with error 0x%08x\n", ss));
MyHandleError ( __FUNCTION__ " InitializeSecurityContext failed " );
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext returned 0x%08x\n", ss));
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (g_hCtext, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " complete failed: 0x%08x\n", ss));
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_CLIENT " Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer));
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
PBYTE DecryptThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// By agreement, the server encrypted the message and set the size
// of the trailer block to be just what it needed. DecryptMessage
// needs the size of the trailer block.
// The size of the trailer is in the first DWORD of the
// message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before decryption including trailer (%lu bytes):\n",
*pcbMessage));
PrintHexDump (*pcbMessage, (PBYTE) pBuffer);
// Prepare the buffers to be passed to the DecryptMessage function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = *pcbMessage;
SecBuff[0].BufferType = SECBUFFER_DATA;
SecBuff[0].pvBuffer = pBuffer;
SecBuff[1].cbBuffer = 0;
SecBuff[1].BufferType = SECBUFFER_EMPTY;
SecBuff[1].pvBuffer = NULL;
SecBuff[2].cbBuffer = 0;
SecBuff[2].BufferType = SECBUFFER_EMPTY;
SecBuff[2].pvBuffer = NULL;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = DecryptMessage(
hCtxt,
&BuffDesc,
0,
&ulQop);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage failed with error 0x%08x\n", ss))
else
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage success? Status: 0x%08x\n", ss));
// Return a pointer to the decrypted data. The trailer data
// is discarded.
return pBuffer;
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[2];
ULONG ulQop = 0;
PBYTE pSigBuffer;
PBYTE pDataBuffer;
// The global cbMaxSignature is the size of the signature
// in the message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before verifying (including signature):\n"));
PrintHexDump (*pcbMessage, pBuffer);
// By agreement with the server,
// the signature is at the beginning of the message received,
// and the data that was signed comes after the signature.
pSigBuffer = pBuffer;
pDataBuffer = pBuffer + cbMaxSignature;
// The size of the message is reset to the size of the data only.
*pcbMessage = *pcbMessage - (cbMaxSignature);
// Prepare the buffers to be passed to the signature verification
// function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 2;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = cbMaxSignature;
SecBuff[0].BufferType = SECBUFFER_TOKEN;
SecBuff[0].pvBuffer = pSigBuffer;
SecBuff[1].cbBuffer = *pcbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pDataBuffer;
ss = VerifySignature(
hCtxt,
&BuffDesc,
0,
&ulQop
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " VerifyMessage failed with error 0x%08x\n", ss));
else
LOGA ( ( __log_buf, SSPI_CLIENT " Message was properly signed.\n"));
return pDataBuffer;
} // end VerifyThis
void PrintHexDump(
DWORD length,
PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_CLIENT " %s\n", rgbLine));
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes\n", cbBuf ));
if (!SendBytes (s, (PBYTE)&cbBuf, sizeof (cbBuf)))
LOGA ( ( __log_buf, SSPI_CLIENT " size failed.\n" ) );
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
LOGA ( ( __log_buf, SSPI_CLIENT " body failed.\n" ) );
return(FALSE);
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return(TRUE);
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
// Receive the number of bytes in the message.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n" ));
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " failed: size of cbData %lu, bytes %lu\n", sizeof (cbData), cbRead));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
return(FALSE);
if (cbRead != cbData)
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMessage
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent;
int cbRemaining = cbBuf;
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes.\n", cbRemaining ));
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_CLIENT " send failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
pTemp += cbSent;
cbRemaining -= cbSent;
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return TRUE;
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_CLIENT " Entry: %lu bytes.\n", cbRemaining ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes remaining.\n", cbRemaining ));
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " recv failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n" ));
return TRUE;
} // end ReceiveBytes
void MyHandleError(char *s)
DWORD err = GetLastError();
if (err)
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (0x%08.8X). Exiting.\n",s, err ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (no error info). Exiting.\n",s ));
exit (EXIT_FAILURE);
Server.cpp
// This is a server-side SSPI Windows Sockets program.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "Sspiexample.h"
#include <iostream>
CredHandle g_hcred;
struct _SecHandle g_hctxt;
static PBYTE g_pInBuf = NULL;
static PBYTE g_pOutBuf = NULL;
static DWORD g_cbMaxMessage;
static TCHAR g_lpPackageName[1024];
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb );
#define SSPI_SERVER "SChannelServer:" __FUNCTION__
void main (int argc, char * argv[])
CHAR pMessage[200];
DWORD cbMessage;
PBYTE pDataToClient = NULL;
DWORD cbDataToClient = 0;
PWCHAR pUserName = NULL;
DWORD cbUserName = 0;
SOCKET Server_Socket;
WSADATA wsaData;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
ULONG cbMaxMessage;
ULONG cbHeader;
ULONG cbTrailer;
std::string certThumb;
// Create a certificate if no thumbprint is supplied. Otherwise, use the provided
// thumbprint to find the certificate.
if ( (argc > 1) && (strlen( argv[1]) > 0) )
certThumb.assign(argv[1]);
else
LOGA( ( __log_buf, SSPI_SERVER " : No certificate thumbprint supplied.\n") );
LOGA( ( __log_buf, SSPI_SERVER " : Press ENTER to create a certificate, or abort and start over with a thumbprint.\n") );
std::cin.get();
certThumb.clear();
Insert code to find or create X.509 certificate.
// Set the default package to SChannel.
wcscpy_s(g_lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME);
// Initialize the socket interface and the security package.
if( WSAStartup (0x0101, &wsaData))
LOGA ( ( __log_buf, SSPI_SERVER " Could not initialize winsock: \n") );
cleanup();
ss = QuerySecurityPackageInfo (
g_lpPackageName,
&pkgInfo);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " Could not query package info for %s, error 0x%08x\n",
g_lpPackageName, ss) );
cleanup();
g_cbMaxMessage = pkgInfo->cbMaxToken;
FreeContextBuffer(pkgInfo);
g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
if (NULL == g_pInBuf || NULL == g_pOutBuf)
LOGA ( ( __log_buf, SSPI_SERVER " Memory allocation error.\n"));
cleanup();
// Start looping for clients.
while(TRUE)
LOGA ( ( __log_buf, SSPI_SERVER " Waiting for client to connect...\n"));
// Make an authenticated connection with client.
if (!AcceptAuthSocket (&Server_Socket, certThumb ))
LOGA ( ( __log_buf, SSPI_SERVER " Could not authenticate the socket.\n"));
cleanup();
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
// The following values are used for encryption and signing.
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbHeader = SecPkgSizes.cbHeader;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_SERVER " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
else
LOGA ( ( __log_buf, SSPI_SERVER " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
// Send the client an encrypted message.
strcpy_s(pMessage, sizeof(pMessage),
TEST_MSG);
cbMessage = (DWORD)strlen(pMessage);
EncryptThis (
(PBYTE) pMessage,
cbMessage,
&pDataToClient,
&cbDataToClient,
cbHeader,
cbTrailer);
// Send the encrypted data to client.
if (!SendBytes(
Server_Socket,
pDataToClient,
cbDataToClient))
LOGA ( ( __log_buf, SSPI_SERVER " send message failed. \n"));
cleanup();
LOGA ( ( __log_buf, SSPI_SERVER " %d encrypted bytes sent. \n", cbDataToClient));
if (Server_Socket)
DeleteSecurityContext (&g_hctxt);
FreeCredentialHandle (&g_hcred);
shutdown (Server_Socket, 2) ;
closesocket (Server_Socket);
Server_Socket = 0;
if (pUserName)
free (pUserName);
pUserName = NULL;
cbUserName = 0;
if(pDataToClient)
free (pDataToClient);
pDataToClient = NULL;
cbDataToClient = 0;
} // end while loop
LOGA ( ( __log_buf, SSPI_SERVER " Server ran to completion without error.\n"));
cleanup();
} // end main
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb )
SOCKET sockListen;
SOCKET sockClient;
SOCKADDR_IN sockIn;
// Create listening socket.
sockListen = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == sockListen)
LOGA ( ( __log_buf, SSPI_SERVER " Failed to create socket: %u\n", GetLastError ()));
return(FALSE);
// Bind to local port.
sockIn.sin_family = AF_INET;
sockIn.sin_addr.s_addr = 0;
sockIn.sin_port = htons(usPort);
if (SOCKET_ERROR == bind (
sockListen,
(LPSOCKADDR) &sockIn,
sizeof (sockIn)))
LOGA ( ( __log_buf, SSPI_SERVER " bind failed: %u\n", GetLastError ()));
return(FALSE);
// Listen for client.
if (SOCKET_ERROR == listen (sockListen, 1))
LOGA ( ( __log_buf, SSPI_SERVER " Listen failed: %u\n", GetLastError ()));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " Listening ! \n"));
// Accept client.
sockClient = accept (
sockListen,
NULL,
NULL);
if (INVALID_SOCKET == sockClient)
LOGA ( ( __log_buf, SSPI_SERVER " accept failed: %u\n",GetLastError() ) );
return(FALSE);
closesocket (sockListen);
*ServerSocket = sockClient;
return(DoAuthentication (sockClient, certThumb ));
} // end AcceptAuthSocket
BOOL DoAuthentication (SOCKET AuthSocket, std::string certThumb )
SECURITY_STATUS ss;
DWORD cbIn, cbOut;
BOOL done = FALSE;
TimeStamp Lifetime;
BOOL fNewConversation;
fNewConversation = TRUE;
PCCERT_CONTEXT pCertCtxt;
Insert code to retrieve pCertCtxt
// Build SCHANNEL_CRED structure to hold CERT_CONTEXT for call to AcquireCredentialsHandle
SCHANNEL_CRED credSchannel = {0};
credSchannel.dwVersion = SCHANNEL_CRED_VERSION;
credSchannel.grbitEnabledProtocols = SP_PROT_SSL2_SERVER | SP_PROT_TLS1_SERVER;
credSchannel.cCreds = 1;
credSchannel.paCred = &pCertCtxt;
ss = AcquireCredentialsHandle (
NULL, //pszPrincipal
g_lpPackageName, //pszPackage
SECPKG_CRED_INBOUND, //fCredentialuse
NULL, //pvLogonID
&credSchannel, //pAuthData - need SCHANNEL_CRED structure that indicates the protocol to use and the settings for various customizable channel features.
NULL, //pGetKeyFn
NULL, //pvGetKeyArgument
&g_hcred, //phCredential
&Lifetime); //ptsExpiry
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcquireCreds failed: 0x%08x\n", ss));
return(FALSE);
while(!done)
if (!ReceiveMsg (
AuthSocket,
g_pInBuf,
g_cbMaxMessage,
&cbIn))
return(FALSE);
cbOut = g_cbMaxMessage;
if (!GenServerContext (
g_pInBuf,
cbIn,
g_pOutBuf,
&cbOut,
&done,
fNewConversation))
LOGA ( ( __log_buf, SSPI_SERVER " GenServerContext failed.\n"));
return(FALSE);
fNewConversation = FALSE;
if (!SendMsg (
AuthSocket,
g_pOutBuf,
cbOut))
LOGA ( ( __log_buf, SSPI_SERVER " Send message failed.\n"));
return(FALSE);
return(TRUE);
} // end DoAuthentication
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewConversation)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = 0;
// Prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// Prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer));
PrintHexDump (InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
ss = AcceptSecurityContext (
&g_hcred,
fNewConversation ? NULL : &g_hctxt,
&InBuffDesc,
Attribs,
SECURITY_NATIVE_DREP,
&g_hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (&g_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " complete failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
// fNewConversation equals FALSE.
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer generated (%lu bytes):\n",
OutSecBuff.cbBuffer));
PrintHexDump (
OutSecBuff.cbBuffer,
(PBYTE)OutSecBuff.pvBuffer);
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext result = 0x%08x\n", ss));
return TRUE;
} // end GenServerContext
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
ULONG * pcbOutput,
ULONG cbHeader,
ULONG cbTrailer)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// The size of the trailer (signature + padding) block is
// determined from the global cbSecurityTrailer.
LOGA ( ( __log_buf, SSPI_SERVER " Data before encryption: %s\n", pMessage));
LOGA ( ( __log_buf, SSPI_SERVER " Length of data before encryption: %d \n",cbMessage));
// Prepare buffers.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
PBYTE pHeader;
pHeader = (PBYTE) malloc (cbHeader);
SecBuff[0].cbBuffer = cbHeader;
SecBuff[0].BufferType = SECBUFFER_STREAM_HEADER;
SecBuff[0].pvBuffer = pHeader;
SecBuff[1].cbBuffer = cbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pMessage;
PBYTE pTrailer;
pTrailer = (PBYTE) malloc (cbTrailer);
SecBuff[2].cbBuffer = cbTrailer;
SecBuff[2].BufferType = SECBUFFER_STREAM_TRAILER;
SecBuff[2].pvBuffer = pTrailer;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = EncryptMessage(
&g_hctxt,
ulQop,
&BuffDesc,
0);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " EncryptMessage failed: 0x%08x\n", ss));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " The message has been encrypted. \n"));
// Allocate a buffer to hold the encrypted data constructed from the 3 buffers.
*pcbOutput = cbHeader + cbMessage + cbTrailer;
* ppOutput = (PBYTE) malloc (*pcbOutput);
memset (*ppOutput, 0, *pcbOutput);
memcpy (*ppOutput, pHeader, cbHeader);
memcpy (*ppOutput + cbHeader, pMessage, cbMessage);
memcpy (*ppOutput + cbHeader + cbMessage, pTrailer, cbTrailer);
LOGA ( ( __log_buf, SSPI_SERVER " data after encryption including trailer (%lu bytes):\n",
*pcbOutput));
PrintHexDump (*pcbOutput, *ppOutput);
return TRUE;
} // end EncryptThis
void PrintHexDump(DWORD length, PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_SERVER " %s\n", rgbLine));
} // end PrintHexDump
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
if (!SendBytes (
s,
(PBYTE)&cbBuf,
sizeof (cbBuf)))
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
return(FALSE);
return(TRUE);
} // end SendMsg
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
// Retrieve the number of bytes in the message.
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed retrieving byte count.\n", cbBuf ));
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer size (%lu) differs from reported size (%lu)\n", sizeof(cbData), cbRead ));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed.\n", cbBuf ));
return(FALSE);
if (cbRead != cbData)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer bytes (%lu) differs from reported bytes (%lu)\n", cbData, cbRead ));
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMsg
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_SERVER " send failed: %u\n", GetLastError ()));
return FALSE;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes sent\n", cbSent ));
pTemp += cbSent;
cbRemaining -= cbSent;
return TRUE;
} // end SendBytes
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " recv failed: %u\n", GetLastError () ) );
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
return TRUE;
} // end ReceivesBytes
void cleanup()
if (g_pInBuf)
free (g_pInBuf);
g_pInBuf = NULL;
if (g_pOutBuf)
free (g_pOutBuf);
g_pOutBuf = NULL;
WSACleanup ();
exit(0);
SspiExample.h
// SspiExample.h
#include <schnlsp.h>
#include <sspi.h>
#include <windows.h>
#include <string>
BOOL SendMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
BOOL SendBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
void cleanup();
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *hCred,
PSecHandle phCtext
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewCredential
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput,
ULONG cbHeader,
ULONG cbTrailer
PBYTE DecryptThis(
PBYTE achData,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt
BOOL
SignThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature
void PrintHexDump(DWORD length, PBYTE buffer);
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName
BOOL CloseAuthSocket (SOCKET s);
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName );
BOOL DoAuthentication (SOCKET s, std::string certThumb );
void MyHandleError(char *s);
#define DBG_SIZE 1024
int OutputDebug( char buff[DBG_SIZE] )
int retval;
char debugstring[DBG_SIZE+32];
retval = _snprintf_s( debugstring, DBG_SIZE+32, _TRUNCATE, " %s", buff );
OutputDebugStringA( debugstring );
return retval;
int DbgBufCopy( char *buff, const char *format, ...)
int iLen;
va_list args;
/// Call va_start to start the variable list
va_start(args, format);
/// Call _vsnprintf_s to copy debug information to the buffer
iLen = _vsnprintf_s(buff, DBG_SIZE, _TRUNCATE, format, args);
/// Call va_end to end the variable list
va_end(args);
return iLen;
#define LOGA(_format_and_args_)\
{ char __log_buf[DBG_SIZE];\
DbgBufCopy _format_and_args_;\
printf("%s", __log_buf );\
OutputDebug(__log_buf);\
#define TEST_MSG "This is your server speaking"
My initial attempt built an SCHANNEL_CRED structure following the documentation to set
grbitEnabledProtocols to 0, and let SChannel select the protocol. This worked on Windows 7, selecting TLS1. When I ran the same exe-s on 2008 R2, the Client program failed, with InitializeSecurityContext returning SEC_E_DECRYPT_FAILURE.
The failure occurred on the 2nd call, using phNewContext returned on the first call.
My next attempt set grbitEnabledProtocols to SP_PROT_TLS1_SERVER. This also worked on Win 7, but 2008R2 failed again, this time on the Server side. AcceptSecurityContext failed, returning SEC_E_ALGORITHM_MISMATCH.
TLS is a requirement for my project, but to try getting the sample to run, I next set grbitEnabledProtocols to SP_PROT_SSL2_SERVER. This did work for 2008R2, selecting SSL2, but now the Server failed on Win7 with AcceptSecurityContext returning
SEC_E_ALGORITHM_MISMATCH.
My final try was to set grbitEnabledProtocols to SP_PROT_TLS1_SERVER | SP_PROT_SSL2_SERVER, but that failed identically to the first case, with the Client on 2008R2 returning SEC_E_DECRYPT_FAILURE.
So my question is - What is required to get SChannel to select TLS regardless of the Windows version on which the programs are running?

Thank you for the reference. That did provide the information I needed to get TLS working. However, the documentation is not accurate with regard to setting the registry keys and values.
The tables all show DisabledByDefault as a subkey under the protocol. They also describe a DWORD value, Enabled, as the mechanism to enable/disable a protocol.
What I found is DisabledByDefault is a DWORD value under Client/Server and it appears to be the determining factor to whether a protocol is enabled/disabled.
The only way I was able to get TLS 1.1 working is with the following path present:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Under Client, I must have DisabledByDefault set to 0. With that, the Enabled value does not need to be present.
This held true for any level of TLS.
I also found the setting of grbitEnabledProtocols in the SCHANNEL_CRED structure to be misleading. From the description at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx, I thought my Server program could set this field to 0, and SChannel would select the protocol as directed by the registry. What I found is that the structure flag must
agree with the registry setting for TLS to work. That is with the resgistry key above for TLS 1.1, I must set grbitEnabledProtocols to SP_PROT_TLS1_1.
Can you confirm the relationship between the SCHANNEL_CRED contents and registry state?

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

Hello,
We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL

Hi Steve, Here is the config for the AP. Some screenshots of the NPS config are below, too. Please let me know if you need more information from our NPS server. Thanks, Doug
ap#sh run
Building configuration...
Current configuration : 2971 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
aaa new-model
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid wifi
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
dfs band 3 block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication mac
nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap#

ACS Server MAC Authentication with Windows Database

Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

IIS Conflict with in Windows 2003 Server

Hai all,
When I am trying to install VC 6.0 in Windows Server 2003,It is giving an error, asking me to get the latest version of IIS.The system is already having IIS 6.0 as a package coming with Windows Server 2003 CD.I am note able to degrade the Version of IIS 6.0 to IIS 5.0(as mentioned in Installation Guideline).
Anybody plz give me a solution for this.Is it possible to install IIS 5.0 in windows 2003 server.What else I can do ?

I believe the note is quite clear (https://notescsn.wdf.sap.corp/~form/handler?_APP=01100107900000000342&_EVENT=DISPL_TXT&_NNUM=0000804496). If you ahve any specific questions on it let me know.

Authentication on Windows NT Server w/IIS 5

Similar Messages

Maybe you are looking for