I'm not quite sure I have given the right description.
Bascially, I'm trying to add Windows Authentication to a node.js site.
I send back a 401 with the WWW-Authenticate: Negotiate header.
The browser immediately fires back an authorization header with the value Negotiate <some string of characters>
At this point, I just want to ensure the token is valid. I've tried to find examples of other open-source frameworks that do this, but I didn't really know what I was looking for.
Just to be clear, the user has already signed on to the domain and is not sending username/password information.
(I may not fully understand how all this works).
I just found this.
Server decodes the NegTokenInit, extracts the supported MechTypes (the one at the front of the MechTypeList should be either Kerberos Legacy or Kerberos V5), ensures it is one of the expected ones, and then extracts the MechToken and authenticates using gss_accept_security_context.
If I understand it correctly, I'm looking for gss_accept_security_context.
I also tried to using GSSManager in java with no luck. I posted that problem here.
Am I headed in the right direction?
I have recently submitted a pull request for the kerberos module mentioned above (https://www.npmjs.org/package/kerberos) to implement server side authentication. Previously that module only had client side APIs implemented.
I have also created a passport authentication strategy, passport-negotiate (https://www.npmjs.com/package/passport-negotiate) which utilizes this and implements server side HTTP authenication, including the 401 and the WWW-Authenticate.
You can see the details of it here:
https://github.com/dmansfield/passport-negotiate/blob/master/lib/passport-negotiate/strategy.js
Unfortunately, this won't work unless the pull request gets merged into the kerberos module and there's a new release, or you can get the patched version of kerberos from my github:
There is now a kerberos module: https://www.npmjs.org/package/kerberos
It looks to me like it's still undergoing heavy development and the call you mention is currently commented out (look for gss_accept_sec_context which is currently in kerberosgss.c).