requests-credssp

2.0.0 · active · verified Thu Apr 16

requests-credssp is a Python library that enables HTTPS CredSSP authentication for the popular `requests` library. CredSSP is a Microsoft authentication protocol allowing credentials to be delegated to a server for double-hop authentication. It supports CredSSP protocol versions 2 to 6, initial authentication with NTLM or Kerberos, and message encryption. The library is actively maintained, with the latest major release (v2.0.0) in February 2022.

Common errors

```
credssp: Server did not response with a CredSSP token after step TLS Handshake - actual 'Negotiate, Basic realm="WSMAN", CredSSP'
```
cause This error often indicates that the server returned a 401 Unauthorized response or failed to negotiate a compatible TLS/cipher suite. It can be particularly common with older Windows servers (like 2012 R2) after upgrading `requests-credssp` to v2.0.0, due to changes in how TLS is handled by `pyspnego` (which uses Python's `ssl` module directly).

fix First, verify that the provided username and password are correct and have appropriate permissions on the target server. If credentials are correct, check the server's TLS/cipher suite compatibility. Consider updating the server's OS, ensuring it has necessary CredSSP/TLS updates, or configuring a stronger WinRM certificate. On the client, ensure your Python's `ssl` module (and underlying OpenSSL) supports ciphers compatible with the server. Debug with `logging.getLogger('requests_credssp').setLevel(logging.DEBUG)`.
```
An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation.
```
cause This message typically indicates a mismatch in CredSSP security configurations between the client and the server, specifically related to the 'Encryption Oracle Remediation' policy. It often happens when a client with CredSSP updates tries to connect to a server without them, and the client's policy is set too strictly (e.g., 'Force Updated Clients' or 'Mitigated' on the client side, disallowing insecure connections).

fix Ensure both client and server have the latest CredSSP security updates. Alternatively, on the client machine, navigate to 'Computer Configuration > Administrative Templates > System > Credentials Delegation' in `gpedit.msc` and change the 'Encryption Oracle Remediation' policy to 'Enabled' and set the Protection Level to 'Vulnerable' (for testing, not recommended for production) or 'Mitigated' (if the server is still unpatched). The best long-term fix is to patch the server.
```
ImportError: cannot import name 'HttpCredSSPAuth' from 'requests_credssp'
```
cause This error means the `HttpCredSSPAuth` class is not found in the `requests_credssp` module. This is usually due to a typo in the import statement or the library not being correctly installed in the active Python environment.

fix Verify that the import statement is `from requests_credssp import HttpCredSSPAuth`. Ensure `requests-credssp` is installed in your current Python environment by running `pip show requests-credssp` and `pip install requests-credssp` if it's missing or outdated.

Warnings

breaking In v2.0.0, several properties and methods on the `HttpCredSSPAuth` class (e.g., `tls_context`, `tls_connection`, `cipher_negotiated`, `wrap()`, `unwrap()`) were removed. They must now be accessed through the `auth.contexts[hostname]` dictionary attribute.
Fix: Access these properties/methods via `auth.contexts[hostname].<property_or_method>` instead of directly on the `HttpCredSSPAuth` instance.
breaking Version 2.0.0 removed `pyOpenSSL` and `pyasn1` as direct dependencies, relying solely on `pyspnego` for CredSSP exchange. This change can affect TLS/SSL cipher suite negotiation, especially with older Windows servers (e.g., Windows Server 2012 R2), as `pyspnego` utilizes Python's built-in `ssl` module, which might adhere to stricter system-wide OpenSSL policies.
Fix: For compatibility with older Windows servers, ensure your Python environment's OpenSSL (or the system's) is configured to support the necessary cipher suites. Upgrading server OS or using a WinRM certificate for CredSSP on the server can also resolve issues. Setting `minimum_version` in `HttpCredSSPAuth` to a lower value (if acceptable for security) might also help.
breaking Support for Python 2.7, 3.4, and 3.5 was dropped in v1.3.0. The minimum Python version required is now 3.6.
Fix: Upgrade your Python environment to Python 3.6 or newer.
gotcha Kerberos authentication on Linux/Unix systems requires additional system-level development packages (e.g., `libkrb5-dev`, `python-dev`) and installing `requests-credssp` with the `[kerberos]` extra (`pip install requests-credssp[kerberos]`). Without these, CredSSP will likely fall back to NTLM or fail.
Fix: Install the necessary system packages and the `[kerberos]` extra as documented in the installation instructions.

Install

pip install requests-credssp Base Installation
pip install requests-credssp[kerberos] With Kerberos support (Linux/Unix)
# System dependencies for Kerberos on Debian/Ubuntu sudo apt-get install python-dev libkrb5-dev krb5-user Linux Kerberos System Dependencies (Debian/Ubuntu)
# System dependencies for Kerberos on CentOS/RHEL sudo yum -y install python-devel krb5-devel krb5-libs krb5-workstation Linux Kerberos System Dependencies (CentOS/RHEL)

Imports

HttpCredSSPAuth

from requests_credssp import HttpCredSSPAuth

Quickstart

This quickstart demonstrates how to use `requests-credssp` to perform an HTTP GET request with CredSSP authentication. It initializes `HttpCredSSPAuth` with a username and password (preferably from environment variables for security) and then uses it with a standard `requests.get()` call. The `minimum_version` parameter can be used to specify the required CredSSP protocol version for the server.

import requests
import os
from requests_credssp import HttpCredSSPAuth

# It's recommended to retrieve credentials from environment variables or a secure store
username = os.environ.get('CREDSSP_USERNAME', 'DOMAIN\\user')
password = os.environ.get('CREDSSP_PASSWORD', 'password')

# Initialize the CredSSP authentication handler
# minimum_version can be set (e.g., 5) to enforce higher CredSSP protocol versions
credssp_auth = HttpCredSSPAuth(username, password, minimum_version=5)

# Make a request using the CredSSP authentication
try:
    # Replace with your actual CredSSP-enabled endpoint
    response = requests.get("https://server:5986/wsman", auth=credssp_auth, verify=False) 
    response.raise_for_status()
    print(f"Request successful: {response.status_code}")
    print(response.text)
except requests.exceptions.RequestException as e:
    print(f"Request failed: {e}")
    if e.response is not None:
        print(f"Response content: {e.response.text}")

view raw JSON →