[cvsnt] sspi authentication bug?

Jon Lennard jlennard at mesatechpartners.com
Mon Feb 23 21:26:09 GMT 2004


SSPI is authenticating against the VPN account.  The session
joins the domain and Microsoft provides the username/password
info of the VPN account.  I verified this by removing repository
file access privileges for a user account and then establishing a VPN
session using this account.  A 'cvs login' still succeeds because
the account is a legitimate one on the server, but this account
is denied permission to do any cvs commands because it can't
access the repository.

>
> >The guest account is disabled.  I am new to the SSPI protocol -
> >I just heard of it today.  Since this is a Microsoft proprietary
> >protocol is there any way it is authenticating off of the
> >VPN account?  I wouldn't think this is possible but
> >with M$ you never know.
> >
> >
> >
> Agreed.  I'd say it depends on the type of VPN, and I don't know enough
> about them to help you further down that path.  Suffice to say that if
> you can do a "net view" against the server, then SSPI can connect and be
> authenticated.  SSPI asks Windows to handle the authentication, so as
> long as Win can work out some method it'll work.
>
> Another possibility is if you've established a session with that server
> through some file share or similar.  If you're communicating with the
> server with a method that requires authentication (with some exceptions)
> then you already have your credentials established and that's probably
> what SSPI is using.
>
> I'm curious as to the outcome.  If there is a bug I certainly want to
> know about it.  Please keep us informed.
>
> Regards,
>
> -- 
> Glen Starrett





More information about the cvsnt mailing list