BUG#34556157: Kerberos authorization fails when using SSPI as security interface

oscpache · oscpache · commit ce8a1a240447 · 2022-10-12T13:45:12.000-05:00
Connector/Python does support Kerberos authentication via GSSAPI on POSIX-based systems and Windows, additionally via SSPI on this latter OS. Authentication via GSSAPI is working alright on Windows, however, it is failing via SSPI. With this patch, the issues is fixed by using Negotiate as security support provider (SSP) instead of Kerberos. Negotiate acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. For more information regarding Negotiate and Kerberos, and why calling Negotiate is prefer over calling Kerberos directly, refer to [1, 2]. [1] https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate?source=recommendations [2] https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-kerberos?source=recommendations Change-Id: I7315a74e7a57e3fc5199fddbcf31d8a4c0297a11
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -13,6 +13,7 @@ v8.0.32
 
 - WL#15348: Support MIT Kerberos library on Windows
 - WL#15036: Support for type hints
+- BUG#34556157: Kerberos authorization fails when using SSPI as security interface
 
 v8.0.31
 =======
diff --git a/lib/mysql/connector/plugins/authentication_kerberos_client.py b/lib/mysql/connector/plugins/authentication_kerberos_client.py
@@ -397,8 +397,26 @@ def auth_response(self, auth_data: Optional[bytes] = None) -> Optional[bytes]:
         _LOGGER.debug("targetspn: %s", targetspn)
         _LOGGER.debug("_auth_info is None: %s", _auth_info is None)
 
+        # The Security Support Provider Interface (SSPI) is an interface
+        # that allows us to choose from a set of SSPs available in the
+        # system; the idea of SSPI is to keep interface consistent no
+        # matter what back end (a.k.a., SSP) we choose.
+
+        # When using SSPI we should not use Kerberos directly as SSP,
+        # as remarked in [2], but we can use it indirectly via another
+        # SSP named Negotiate that acts as an application layer between
+        # SSPI and the other SSPs [1].
+
+        # Negotiate can select between Kerberos and NTLM on the fly;
+        # it chooses Kerberos unless it cannot be used by one of the
+        # systems involved in the authentication or the calling
+        # application did not provide sufficient information to use
+        # Kerberos.
+
+        # [1] https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate?source=recommendations
+        # [2] https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-kerberos?source=recommendations
         self.clientauth = sspi.ClientAuth(
-            "Kerberos",
+            "Negotiate",
             targetspn=targetspn,
             auth_info=_auth_info,
             scflags=sum(flags),
