kerberos does not support message encryption

[sehot]

Hi
i'm trying to use winrm with kerberos and message encryption over http

i'm getting this error :

winrm.exceptions.WinRMError: message encryption is set to 'always' but the selected auth method kerberos does not support it
i working on windows server and i have the latest winrm .

if i disable message encryption and allow Unencrypted on host - it is work , but i don't want to do that. i prefer to work with encrypted message.

what am i missing ?

[jborean93]

You need to ensure you have the latest version or pykerberos (or winkerberos if you are running on a Windows host). To verify you have the proper version installed you can run python -c "import kerberos; print(hasattr(kerberos, 'authGSSWinRMEncryptMessage'))". If that outputs True then pywinrm should pick it up correctly, if it outputs False then the Kerberos library is either outdated or doesn't support message encryption on your platform.

[sehot]

I running on windows server 2012r2
I don't have kerberos library , I have the latest winkerberos library version (0.7.0) but still i'm getting false when i run your commands .

C:\Program Files (x86)\Python36-32\Scripts>pip3.exe freeze | findstr winkerberos
winkerberos==0.7.0

>>> import winkerberos
>>> print(hasattr(winkerberos,'authGSSWinRMEncryptMessage'))
False
>>>

am i miss something ? do i need another or different library ?

[jborean93]

Looking at the code, the GSS wrapping functions were only implemented in pykerberos which is the library used on Linux. The winkerberos library would need to be updated to implement that function so pywinrm can use it.

You could look into pypsrp if you are interested as that has Kerberos message encryption implemented for both Linux and Windows (it uses a different set of libraries). Otherwise you would need to use a HTTPS listener to avoid the encryption check or just use the builtin tools for Windows.

[MarkusBartels]

I had the same problem as sehot.

Thanks for the hint with:
python3 -c "import kerberos; print(hasattr(kerberos, 'authGSSWinRMEncryptMessage'))"
It returned False on my system. Further investigation on my Ubuntu 20.04 showed that the pykerberos library is at 1.1.14.
After updating to 1.2.1 with
pip3 install 'pykerberos==1.2.1'
message encryption works.

[alehaa]

macOS is returning False for version 1.2.1, too. Is there any information about compatibility of this feature from the upstream project available? Unfortunately, I can't find sources at GitHub containing authGSSWinRMEncryptMessage.

[jborean93]

macOS is returning False for version 1.2.1, too. Is there any information about compatibility of this feature from the upstream project available?

macOS is another special beast where they use their own variant of Heimdal for GSSAPI but the wrapping functions required for Kerberos message encryption aren't exposed publicly. I had to do some special shenanigns to get it working for python-gssapi pythongssapi/python-gssapi#210 and even then I never continued forward with it because of packaging problems. A similar thing would have to happen with pykerberos to dynamically load the __ApplePrivate_gss_wrap_iov and __ApplePrivate_gss_unwrap_iov symbols at runtime for macOS and expose that in the authGSSWinRMEncryptMessage function for pykerberos.

The problems here exist in another project and not pywinrm so I'm going to close this issue.