时间戳

首页 > 解决方案 > GSSAPI:InitializeSecurityContext 返回的错误 0x80090311

c++ - GSSAPI:InitializeSecurityContext 返回的错误 0x80090311

问题描述

我需要使用 Kerberos 设置活动目录身份验证系统。我的AcquireCredentialsHandleA班级如下所示。https://docs.microsoft.com/en-us/windows/win32/secauthn/acquirecredentialhandle--kerberos

SEC_WINNT_AUTH_IDENTITY AuthData, *pAuthData = NULL;
#ifdef UNICODE
    AuthData.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
#else
    AuthData.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
#endif
    unsigned char username[200] = "user";
    unsigned char domain[200] = "domain.com";
    unsigned char password[100] = "secret";
    AuthData.User = &username[0]; //username
    AuthData.Domain = &domain[0]; //domain
    AuthData.Password = &password[0]; //password
    AuthData.UserLength = AuthData.User ? sizeof(AuthData.User) : 0;
    AuthData.DomainLength = AuthData.Domain ? sizeof(AuthData.Domain) : 0;
    AuthData.PasswordLength = AuthData.Password ? sizeof(AuthData.Password) : 0;

Status = g_pSSPI->AcquireCredentialsHandleA(
        NULL,                 // Name of principal   //pN       
        ppPackageInfo[2].Name,//"kerberos" Name of package 
        SECPKG_CRED_OUTBOUND, // Flags indicating use
        NULL,                 // Pointer to logon ID
        pAuthData, //NULL,    // Package specific data
        NULL,                 // Pointer to GetKey() func
        NULL,                 // Value to pass to GetKey()
        phCreds,              // (out) Cred Handle
        &tsExpiry
    );

这将返回成功。但是,当我调用我的InitializeSecurityContextA函数时,它给了我 0x80090311 错误,这意味着SEC_E_NO_AUTHENTICATING_AUTHORITY。我已经尝试了各种可能的域名等。当我ksetup在 powershell 中这样做时,它可以生成具有相同凭据的票证。但是代码总是失败。任何人都可以在这里发现任何问题吗?

dwSSPIFlags = ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_USE_SESSION_KEY | ISC_REQ_CONNECTION; // Not sure at all about them flags

    OutBuffers[0].pvBuffer = NULL;
    OutBuffers[0].BufferType = SECBUFFER_TOKEN; //2
    //OutBuffers[0].cbBuffer = 0;
    OutBuffers[0].cbBuffer = 7084;

    OutBuffer.cBuffers = 1;
    OutBuffer.pBuffers = OutBuffers;
    OutBuffer.ulVersion = SECBUFFER_VERSION; //0    
    Status = g_pSSPI->InitializeSecurityContextA
            (
                phCreds,
                fHaveCtxtHandle ? phContext : NULL,//phContext, can be NULL for the first call 
                server, 
                dwSSPIFlags,
                0,
                SECURITY_NETWORK_DREP,//SECURITY_NATIVE_DREP,
                fHaveCtxtHandle ? &InBuffer : NULL,
                0,
                fHaveCtxtHandle ? NULL : phContext ,
                &OutBuffer,
                &dwSSPIOutFlags,
                &tsExpiry
            );

谁能帮我这个?非常感谢。:)

-------------------------------------------------- - - - - - - - 编辑 - - - - - - - - - - - - - - - - - - --------------------------

    std::string fqdn = "HTTP/staging.company.com"; 
    char * server = new char[fqdn.size() + 1];
    std::copy(fqdn.begin(), fqdn.end(), server);
    server[fqdn.size()] = '\0';

所以这就是我设置服务名称的方式。我也在我的活动目录中注册了这个服务名称。尽管该地址尚未提供任何特定服务。你认为这可能是问题所在吗?另一个细节:活动目录不在同一个办公室,我们通过路由器隧道连接到它。

标签: c++active-directorykerberos

解决方案

推荐阅读