[CSHARP-1310] The RFC defined checks are breaking the Kerberos auth in certain environment Created: 11/Jun/15  Updated: 03/Jan/18  Resolved: 13/Jun/15

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: 1.10, 2.0.1
Fix Version/s: 2.0.2, 2.1

Type: Bug Priority: Critical - P2
Reporter: Anil Kumar Assignee: Craig Wilson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Case:

 Description   

The following checks implemented break the driver in certain environments for the Kerberos Authentication:

public ISaslStep Transition(SaslConversation conversation, byte[] bytesReceivedFromServer)
            {
                // Even though RFC says that clients should specifically check this and raise an error
                // if it isn't true, this breaks on Windows XP, so we are skipping the check for windows
                // XP, identified as Win32NT 5.1: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
                if (Environment.OSVersion.Platform != PlatformID.Win32NT ||
                    Environment.OSVersion.Version.Major != 5) {
                    if (bytesReceivedFromServer == null || bytesReceivedFromServer.Length != 32) //RFC specifies this must be 4 octets
                    {
                        throw new MongoAuthenticationException(conversation.ConnectionId, message: "Invalid server response.");
                    }
                }

We should remove these extra checks for now.



 Comments   
Comment by Githook User [ 13/Jun/15 ]

Author:

{u'username': u'craiggwilson', u'name': u'Craig Wilson', u'email': u'craiggwilson@gmail.com'}

Message: CSHARP-1310: removed RFC check in SSPI integration due to invalid implementations from KDCs.
Branch: v2.0.x
https://github.com/mongodb/mongo-csharp-driver/commit/915f0160813c641d419d89149baf12b14dd6a6d8

Comment by Githook User [ 13/Jun/15 ]

Author:

{u'username': u'craiggwilson', u'name': u'Craig Wilson', u'email': u'craiggwilson@gmail.com'}

Message: CSHARP-1310: removed RFC check in SSPI integration due to invalid implementations from KDCs.
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/e4670bab29da00ef5a54eb19c75872fcd8d73b1b

Comment by Craig Wilson [ 11/Jun/15 ]

Note: We don't actually know what circumstances cause this issue to manifest itself. There are a good number of users authenticating with kerberos who aren't encountering any issues.

Generated at Wed Feb 07 21:39:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.