{"id":8590,"library":"requests-credssp","title":"requests-credssp","description":"requests-credssp is a Python library that enables HTTPS CredSSP authentication for the popular `requests` library. CredSSP is a Microsoft authentication protocol allowing credentials to be delegated to a server for double-hop authentication. It supports CredSSP protocol versions 2 to 6, initial authentication with NTLM or Kerberos, and message encryption. The library is actively maintained, with the latest major release (v2.0.0) in February 2022.","status":"active","version":"2.0.0","language":"en","source_language":"en","source_url":"https://github.com/jborean93/requests-credssp","tags":["http","authentication","windows","credssp","spnego","kerberos","ntlm","requests"],"install":[{"cmd":"pip install requests-credssp","lang":"bash","label":"Base Installation"},{"cmd":"pip install requests-credssp[kerberos]","lang":"bash","label":"With Kerberos support (Linux/Unix)"},{"cmd":"# System dependencies for Kerberos on Debian/Ubuntu\nsudo apt-get install python-dev libkrb5-dev krb5-user","lang":"bash","label":"Linux Kerberos System Dependencies (Debian/Ubuntu)"},{"cmd":"# System dependencies for Kerberos on CentOS/RHEL\nsudo yum -y install python-devel krb5-devel krb5-libs krb5-workstation","lang":"bash","label":"Linux Kerberos System Dependencies (CentOS/RHEL)"}],"dependencies":[{"reason":"Required for secure communication.","package":"cryptography","optional":false},{"reason":"Core library for CredSSP exchange, introduced in v1.2.0 and central since v2.0.0.","package":"pyspnego","optional":false},{"reason":"The underlying HTTP library.","package":"requests>=2.0.0","optional":false},{"reason":"Optional, for Kerberos authentication on Unix systems, installed with `[kerberos]` extra.","package":"python-gssapi","optional":true},{"reason":"Optional, for Kerberos authentication on Unix systems, installed with `[kerberos]` extra.","package":"pykrb5","optional":true}],"imports":[{"symbol":"HttpCredSSPAuth","correct":"from requests_credssp import HttpCredSSPAuth"}],"quickstart":{"code":"import requests\nimport os\nfrom requests_credssp import HttpCredSSPAuth\n\n# It's recommended to retrieve credentials from environment variables or a secure store\nusername = os.environ.get('CREDSSP_USERNAME', 'DOMAIN\\\\user')\npassword = os.environ.get('CREDSSP_PASSWORD', 'password')\n\n# Initialize the CredSSP authentication handler\n# minimum_version can be set (e.g., 5) to enforce higher CredSSP protocol versions\ncredssp_auth = HttpCredSSPAuth(username, password, minimum_version=5)\n\n# Make a request using the CredSSP authentication\ntry:\n    # Replace with your actual CredSSP-enabled endpoint\n    response = requests.get(\"https://server:5986/wsman\", auth=credssp_auth, verify=False) \n    response.raise_for_status()\n    print(f\"Request successful: {response.status_code}\")\n    print(response.text)\nexcept requests.exceptions.RequestException as e:\n    print(f\"Request failed: {e}\")\n    if e.response is not None:\n        print(f\"Response content: {e.response.text}\")\n","lang":"python","description":"This quickstart demonstrates how to use `requests-credssp` to perform an HTTP GET request with CredSSP authentication. It initializes `HttpCredSSPAuth` with a username and password (preferably from environment variables for security) and then uses it with a standard `requests.get()` call. The `minimum_version` parameter can be used to specify the required CredSSP protocol version for the server."},"warnings":[{"fix":"Access these properties/methods via `auth.contexts[hostname].<property_or_method>` instead of directly on the `HttpCredSSPAuth` instance.","message":"In v2.0.0, several properties and methods on the `HttpCredSSPAuth` class (e.g., `tls_context`, `tls_connection`, `cipher_negotiated`, `wrap()`, `unwrap()`) were removed. They must now be accessed through the `auth.contexts[hostname]` dictionary attribute.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"For compatibility with older Windows servers, ensure your Python environment's OpenSSL (or the system's) is configured to support the necessary cipher suites. Upgrading server OS or using a WinRM certificate for CredSSP on the server can also resolve issues. Setting `minimum_version` in `HttpCredSSPAuth` to a lower value (if acceptable for security) might also help.","message":"Version 2.0.0 removed `pyOpenSSL` and `pyasn1` as direct dependencies, relying solely on `pyspnego` for CredSSP exchange. This change can affect TLS/SSL cipher suite negotiation, especially with older Windows servers (e.g., Windows Server 2012 R2), as `pyspnego` utilizes Python's built-in `ssl` module, which might adhere to stricter system-wide OpenSSL policies.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Upgrade your Python environment to Python 3.6 or newer.","message":"Support for Python 2.7, 3.4, and 3.5 was dropped in v1.3.0. The minimum Python version required is now 3.6.","severity":"breaking","affected_versions":">=1.3.0"},{"fix":"Install the necessary system packages and the `[kerberos]` extra as documented in the installation instructions.","message":"Kerberos authentication on Linux/Unix systems requires additional system-level development packages (e.g., `libkrb5-dev`, `python-dev`) and installing `requests-credssp` with the `[kerberos]` extra (`pip install requests-credssp[kerberos]`). Without these, CredSSP will likely fall back to NTLM or fail.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"First, verify that the provided username and password are correct and have appropriate permissions on the target server. If credentials are correct, check the server's TLS/cipher suite compatibility. Consider updating the server's OS, ensuring it has necessary CredSSP/TLS updates, or configuring a stronger WinRM certificate. On the client, ensure your Python's `ssl` module (and underlying OpenSSL) supports ciphers compatible with the server. Debug with `logging.getLogger('requests_credssp').setLevel(logging.DEBUG)`.","cause":"This error often indicates that the server returned a 401 Unauthorized response or failed to negotiate a compatible TLS/cipher suite. It can be particularly common with older Windows servers (like 2012 R2) after upgrading `requests-credssp` to v2.0.0, due to changes in how TLS is handled by `pyspnego` (which uses Python's `ssl` module directly).","error":"credssp: Server did not response with a CredSSP token after step TLS Handshake - actual 'Negotiate, Basic realm=\"WSMAN\", CredSSP'"},{"fix":"Ensure both client and server have the latest CredSSP security updates. Alternatively, on the client machine, navigate to 'Computer Configuration > Administrative Templates > System > Credentials Delegation' in `gpedit.msc` and change the 'Encryption Oracle Remediation' policy to 'Enabled' and set the Protection Level to 'Vulnerable' (for testing, not recommended for production) or 'Mitigated' (if the server is still unpatched). The best long-term fix is to patch the server.","cause":"This message typically indicates a mismatch in CredSSP security configurations between the client and the server, specifically related to the 'Encryption Oracle Remediation' policy. It often happens when a client with CredSSP updates tries to connect to a server without them, and the client's policy is set too strictly (e.g., 'Force Updated Clients' or 'Mitigated' on the client side, disallowing insecure connections).","error":"An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation."},{"fix":"Verify that the import statement is `from requests_credssp import HttpCredSSPAuth`. Ensure `requests-credssp` is installed in your current Python environment by running `pip show requests-credssp` and `pip install requests-credssp` if it's missing or outdated.","cause":"This error means the `HttpCredSSPAuth` class is not found in the `requests_credssp` module. This is usually due to a typo in the import statement or the library not being correctly installed in the active Python environment.","error":"ImportError: cannot import name 'HttpCredSSPAuth' from 'requests_credssp'"}]}