Home / server / Questions / 1036026
In Process
Sagar
Asked: 2020-10-02 08:51:44 +0800 CST

curl not sending credentials during negotiation

  • 772

We have a Jenkins server that uses Kerberos-SSO, with a fallback to Basic if SSO is not configured on the browser or using curl.

When I use curl with the --negotiate argument, however, it doesn't send basic credentials information when asked for it even though the server is clearly sending www-authenticate negotiation headers.

Command used:

curl --verbose --negotiate --basic --user "username":"password" myserver.mycompany.com

* About to connect() to myserver.mycompany.com port 443 (#0)
*   Trying 10.5.24.212...
* Connected to myserver.mycompany.com (10.5.24.212) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=*.mycompany.com,O=MyCompany International,L=New York,ST=New York,C=US
*   start date: Aug 31 17:14:45 2020 GMT
*   expire date: Aug 31 17:14:45 2022 GMT
*   common name: *.mycompany.com
*   issuer: CN=MyCompany Intermediate CA 3,DC=ad,DC=mycompany,DC=com
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myserver.mycompany.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< date: Thu, 01 Oct 2020 16:04:44 GMT
< server: Apache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< www-authenticate: Negotiate
< www-authenticate: Basic realm="MyCompany SSO"
< cache-control: no-cache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< content-length: 381
< content-type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host myserver.mycompany.com left intact
* Issue another request to this URL: 'https://myserver.mycompany.com/'
* Found bundle for host myserver.mycompany.com: 0xe8ef50
* Re-using existing connection! (#0) with host myserver.mycompany.com
* Connected to myserver.mycompany.com (10.5.24.212) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myserver.mycompany.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< date: Thu, 01 Oct 2020 16:04:44 GMT
< server: Apache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
* gss_init_sec_context() failed: : No Kerberos credentials available (default cache: KEYRING:persistent:0)
< www-authenticate: Negotiate
< www-authenticate: Basic realm="MyCompany SSO"
< cache-control: no-cache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< content-length: 381
< content-type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

Curl information:

$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
authentication single-sign-on curl http-basic-authentication gssapi

0 Answers