Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows 2008 #20

Open
cecyLDY opened this issue Oct 15, 2020 · 5 comments
Open

windows 2008 #20

cecyLDY opened this issue Oct 15, 2020 · 5 comments

Comments

@cecyLDY
Copy link

cecyLDY commented Oct 15, 2020

Server did not response with a CredSSP token after step Step 3. Server Authentication - actual 'Negotiate, CredSSP'

@JordanStopford
Copy link

I'm receiving a mix of this and failures after "Step 5", quite intermittently

@jborean93
Copy link
Owner

Server 2008 (non R2 version) is quite difficult because it doesn't have TLS 1.2 available as a reliable patch. I know Microsoft did release a TLS 1.2 patch but from my testing it just doesn't work from a server perspective. The disable_tlsv1_2 kwargs when creating the CredSSP context can be used to fallback to TLS 1.0 that Server 2008 does support but at this point you really should try and move away from this host.

The other issue is that the 3rd step can change based on the CredSSP version in play. By default requests-credssp should support the newer CredSSP versions that are available but you would need to ensure you have v1.0.0 or higher installed.

Have a look at the security event logs on the Windows host to see if it gives you any error codes that explains the failure. Also try just connecting with CredSSP auth from an actual Windows client to ensure that the host itself isn't faulty.

@JordanStopford
Copy link

Sorry, I should've said that my test host is 2008R2 (I may have misread the title of this bug!). I've in fact got two separate systems that exhibit this issue so it seems fairly easily reproducible - I wonder whether MS have released a patch that's changed something slightly. I've checked the security event logs and can't see anything immediately apparent and I can RDP into both hosts which from what I've read uses CredSSP too?

Is there anything else I should be looking for or any other information you need?

@cecyLDY
Copy link
Author

cecyLDY commented Oct 27, 2020

windows server 2008 r2 ,After The Windows update.Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual ''

@jborean93
Copy link
Owner

I wonder whether MS have released a patch that's changed something slightly

They did but that was in 2018. This library should support servers with and without this patch though. One issue with both Server 2008 and 2008 R2 is that they both don't have TLS 1.2 enabled by default. If you haven't installed the TLS 1.2 patch and enabled the protocol on the server through the required registry keys then CredSSP will be using TLS 1.0. This has some problems in the handshake process and requires a specific flag to be set disable_tlsv1_2=True to work with TLS 1.0.

Is there anything else I should be looking for or any other information you need?

There's nothing else that I know off, you might be able to get some more information by enabling SChannel debug logs and see if that reports anything. Also making sure you can connect using CredSSP with native PowerShell remoting Enter-PSSession -ComputerName server -Authentication CredSSP. If that doesn't work then this won't work as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants